Description of problem: ----------------------- Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation. [1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull. This bug is to fix violation in 'cdi-controller' container. <snip> 'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cdi-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cdi-controller" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cdi-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")', </snip> Version-Release number of selected component (if applicable): ------------------------------------------------------------- 4.11.1-20 How reproducible: ----------------- Always Expected results: ----------------- No audit-violation to be found
This has been fixed in 4.12 for long enough that it's hard to find the exact version where it was fixed. Listing some recent version of CNV. Note this required some downstream follow up- https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/containerized-data-importer/-/merge_requests/235/diffs?commit_id=4fb52f90c66ebd7767dd99bb47e73f5c62c08236
Test on CNV v4.12.0-682, no cdi-controller container 'pod security violation' error in audit logs.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:0408