Bug 2133656 - [4.12][pod security violation audit] Audit violation in "hostpath-provisioner-operator" container should be fixed
Summary: [4.12][pod security violation audit] Audit violation in "hostpath-provisioner...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Storage
Version: 4.11.1
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: 4.12.0
Assignee: Alexander Wels
QA Contact: Jenia Peimer
URL:
Whiteboard:
Depends On:
Blocks: 2089744 2140406
TreeView+ depends on / blocked
 
Reported: 2022-10-11 05:31 UTC by SATHEESARAN
Modified: 2023-01-24 13:41 UTC (History)
5 users (show)

Fixed In Version: CNV v4.12.0-631
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2140406 (view as bug list)
Environment:
Last Closed: 2023-01-24 13:41:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github kubevirt hostpath-provisioner-operator pull 263 0 None Merged Modify operator deployment so it can run with restricted security profile 2022-10-23 11:50:08 UTC
Red Hat Issue Tracker CNV-21787 0 None None None 2022-10-31 13:21:15 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:41:52 UTC

Description SATHEESARAN 2022-10-11 05:31:45 UTC 
Description of problem:
-----------------------
Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

[1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

This bug is to fix violation in 'hostpath-provisioner-operator' container.

<snip>
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "hostpath-provisioner-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "hostpath-provisioner-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "hostpath-provisioner-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "hostpath-provisioner-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
</snip>

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
4.11.1-20

How reproducible:
-----------------
Always

Expected results:
-----------------
No audit-violation to be found
Comment 7 errata-xmlrpc 2023-01-24 13:41:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0408
Note You need to log in before you can comment on or make changes to this bug.