Description of problem: Podsecurity violation error getting logged for pod-identity-webhook. If the component has such issue but not filed for fix, then the component will be broken in a GA 4.11. Pls. refer to: https://issues.redhat.com/browse/AUTH-221 https://issues.redhat.com/browse/AUTH-222 Version-Release number of selected component (if applicable): jianpingshu@jshu-mac issue % oc version Client Version: 4.10.0-0.nightly-2021-12-01-072705 Server Version: 4.11.0-0.nightly-2022-06-04-014713 Kubernetes Version: v1.24.0+bb9c2f1 How reproducible: Steps to Reproduce: 1.Install a OCP cluster with version 4.11.0-0.nightly-2022-06-04-014713 2. Run test.sh script in https://issues.redhat.com/browse/AUTH-221 to collect error/warning logs. Actual results: jianpingshu@jshu-mac issue % ./test.sh Now using project "xxia-test" on server "https://api.jshu-0606-test3.qe.devcluster.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/ip-10-0-151-109us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/ip-10-0-173-141us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/ip-10-0-213-162us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... /api/v1/namespaces/openshift-cloud-credential-operator/pods would violate PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "pod-identity-webhook" must set securityContext.runAsNonRoot=true) /api/v1/namespaces/openshift-marketplace/pods would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cloud-credential-operator/deployments would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "pod-identity-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "pod-identity-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "pod-identity-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "pod-identity-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cloud-credential-operator/replicasets would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "pod-identity-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "pod-identity-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "pod-identity-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "pod-identity-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Expected results: No error/warning logs reported for openshift-cloud-credential-operator PodSecurity Additional info:
Had a test with the following OCP versions which include the fix. The same issue still exists. https://amd64.ocp.releases.ci.openshift.org/releasestream/4.11.0-0.nightly/release/4.11.0-0.nightly-2022-06-09-202040 https://amd64.ocp.releases.ci.openshift.org/releasestream/4.11.0-0.nightly/release/4.11.0-0.nightly-2022-06-10-011212 jianpingshu@jshu-mac % oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-06-09-202040 True False 16m Cluster version is 4.11.0-0.nightly-2022-06-09-202040 jianpingshu@jshu-mac BUG-2093986 % ./test.sh Removing debug pod ... /api/v1/namespaces/openshift-cloud-credential-operator/pods would violate PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "pod-identity-webhook" must set securityContext.runAsNonRoot=true) /api/v1/namespaces/openshift-marketplace/pods would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cloud-credential-operator/deployments would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "pod-identity-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "pod-identity-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "pod-identity-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "pod-identity-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cloud-credential-operator/replicasets would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "pod-identity-webhook" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "pod-identity-webhook" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "pod-identity-webhook" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "pod-identity-webhook" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") jianpingshu@jshu-mac % oc get pod pod-identity-webhook-7684d6c6bf-x66s8 -n openshift-cloud-credential-operator -o yaml > pod-identity-webhook-7684d6c6bf-x66s8.yaml Checked the pod-identity-webhook-7684d6c6bf-x66s8.yaml, seems the only gap is no "runAsNonRoot: true". Checked the CCO PR#463 which ever modified manifests/03-deployment.yaml for webhook pod security. Shall we also change this file?
Tested with the accepted version 4.11.0-0.nightly-2022-06-11-054027. Still same as in above comment.
Verified with 4.11.0-0.ci-2022-06-15-173202. jianpingshu@jshu-mac BUG-2093986 % oc version Client Version: 4.10.0-0.nightly-2021-12-01-072705 Server Version: 4.11.0-0.ci-2022-06-15-173202 Kubernetes Version: v1.24.0-alpha.3.3646+25f9057fed7d4f-dirty === run test script, no error/warning reported for cco jianpingshu@jshu-mac BUG-2093986 % ./test.sh Now using project "xxia-test" on server "https://api.jshu-0616-test2.qe.devcluster.openshift.com:6443". You can add applications to this project with the 'new-app' command. For example, try: oc new-app rails-postgresql-example to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application: kubectl create deployment hello-node --image=k8s.gcr.io/serve_hostname Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/ip-10-0-150-96us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/ip-10-0-162-119us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... Warning: would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") Starting pod/ip-10-0-210-225us-east-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... /api/v1/namespaces/openshift-marketplace/pods would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "registry-server" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "registry-server" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "registry-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") === Check pod-identity-webhook yaml, "runAsNonRoot: true" included jianpingshu@jshu-mac run5 % oc get pod pod-identity-webhook-675ccb5d97-n5754 -n openshift-cloud-credential-operator -o yaml > pod-identity-webhook-675ccb5d97-n5754.yaml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069