Bug 2133660 - [pod security violation audit] Audit violation in "cdi-source-update-poller" container should be fixed
Summary: [pod security violation audit] Audit violation in "cdi-source-update-poller" ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Container Native Virtualization (CNV)
Classification: Red Hat
Component: Storage
Version: 4.11.1
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
: 4.12.0
Assignee: Michael Henriksen
QA Contact: Yan Du
URL:
Whiteboard:
Depends On:
Blocks: 2089744 2141669
TreeView+ depends on / blocked
 
Reported: 2022-10-11 05:49 UTC by SATHEESARAN
Modified: 2023-01-24 13:41 UTC (History)
5 users (show)

Fixed In Version: CNV v4.12.0-680
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2141669 (view as bug list)
Environment:
Last Closed: 2023-01-24 13:41:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CNV-21790 0 None None None 2022-10-31 13:16:35 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:41:52 UTC

Description SATHEESARAN 2022-10-11 05:49:36 UTC 
Description of problem:
-----------------------
Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

[1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

This bug is to fix violation in 'cdi-source-update-poller' container.

<snip>
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cdi-source-update-poller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cdi-source-update-poller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cdi-source-update-poller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cdi-source-update-poller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
</snip>

Version-Release number of selected component (if applicable):
-------------------------------------------------------------
4.11.1-20

How reproducible:
-----------------
Always

Expected results:
-----------------
No audit-violation to be found
Comment 1 Maya Rashish 2022-11-09 07:57:37 UTC 
This has been fixed in 4.12 for long enough that it's hard to find the exact version where it was fixed.
Listing some recent version of CNV.

Note this required some downstream follow up-
https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/containerized-data-importer/-/merge_requests/235/diffs?commit_id=4fb52f90c66ebd7767dd99bb47e73f5c62c08236
Comment 2 Yan Du 2022-11-10 08:43:46 UTC 
Test on CNV v4.12.0-628, no cdi-source-update-poller container 'pod security violation' error in audit logs.

@Maya, since it is fixed on 4.12, do we have plan to backport to 4.11?
Comment 4 Maya Rashish 2022-11-14 05:50:48 UTC 
Thanks, cloned the bug so we can backport it to 4.11.
Comment 7 errata-xmlrpc 2023-01-24 13:41:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0408
Note You need to log in before you can comment on or make changes to this bug.