Bug 2133541 - [pod security violation audit] Audit violation in "bridge-marker" container should be fixed
Summary: [pod security violation audit] Audit violation in "bridge-marker" container s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Networking
Version: 4.11.1
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: 4.12.0
Assignee: Petr Horáček
QA Contact: Yossi Segev
URL:
Whiteboard:
Depends On:
Blocks: 2089744
TreeView+ depends on / blocked
 
Reported: 2022-10-10 19:42 UTC by SATHEESARAN
Modified: 2023-01-24 13:41 UTC (History)
5 users (show)

Fixed In Version: bundle v4.12.0-769
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-01-24 13:41:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CNV-21781 0 None None None 2022-11-10 14:13:16 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:41:52 UTC

Description SATHEESARAN 2022-10-10 19:42:51 UTC 
Description of problem:
-----------------------
Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

[1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

This bug is to fix violation in 'bridge-marker' container.

<snip>
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (container "bridge-marker" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "bridge-marker" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "bridge-marker" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "bridge-marker" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
</snip>

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
4.11.1-20

How reproducible:
-----------------
Always

Expected results:
-----------------
No audit-violation to be found
Comment 1 Petr Horáček 2022-10-11 12:56:49 UTC 
I believe that this was addressed via https://github.com/kubevirt/cluster-network-addons-operator/pull/1404 in v4.11.1-29. The problem is that errata is stuck on a build that is two weeks old.
Comment 2 Yossi Segev 2022-10-24 18:42:20 UTC 
Still happens on
CNV (HCO bundle) v4.11.1-49 (IIB: 346131)
bridge-marker: v4.11.1-5

Reproduction scenario:
I Ran the same tests that was run in the original bug scenario (https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull), with https://code.engineering.redhat.com/gerrit/c/cnv-tests/+/430017, which was also used in the original scenario, cherry-picked.
* I ran from the cluster executor rather than from the Jenkins test job.

$ poetry run pytest -svv -o log_cli=true tests/install_upgrade_operators/pod_security/test_pod_security_audit_log.py --bugzilla --jira --junit-xml xunit_results.xml --tc=region:USA --tb=native --cluster-sanity-skip-storage-check

Result (from the test output log):
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (container "bridge-marker" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "bridge-marker" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "bridge-marker" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "bridge-marker" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'
Comment 4 Petr Horáček 2022-11-10 14:06:18 UTC 
After discussing this issue offline, we came to a conclusion that while the component should be safe with the default security context it gets from OpenShift, we need to explicitly set it to silence the audit log.
Comment 6 Satyajit Bulage 2022-12-22 11:46:46 UTC 
Followed same steps from comment 2.

Still able to see the violation:

'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true), allowPrivilegeEscalation != false (container "bridge-marker" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "bridge-marker" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "bridge-marker" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "bridge-marker" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'

Installed CNAO version: v4.11.2-1
CNV version: 4.11.2-10
CNI plugin: 4.11.2-1

Failed ON_QA.
Comment 7 Yossi Segev 2023-01-02 17:27:16 UTC 
Verified by running the same scenario from comment #2.

OCP version: 4.12.0-rc.2
CNV 4.12.0-769
bridge-marker v4.12.0-24
Comment 9 Yossi Segev 2023-01-23 15:00:06 UTC 
(In reply to Yossi Segev from comment #7)
> Verified by running the same scenario from comment #2.
> 
> OCP version: 4.12.0-rc.2
> CNV 4.12.0-769
> bridge-marker v4.12.0-24

Also verified on 2 upgraded clusters:
OCP+CNV 4.11->4.12
OCP+CNV 4.10->4.12 (EUS upgrade).
Comment 11 errata-xmlrpc 2023-01-24 13:41:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0408
Note You need to log in before you can comment on or make changes to this bug.