2209444 – PSA violation messages due to a restricted profile cluster-network-addons-operator and its components: kube-cni-linux-bridge-plugin, bridge-marker

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 2209444 - PSA violation messages due to a restricted profile cluster-network-addons-operator and its components: kube-cni-linux-bridge-plugin, bridge-marker

Summary: PSA violation messages due to a restricted profile cluster-network-addons-ope...

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.13.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.14.2
Assignee:	Quique Llorente
QA Contact:	Yossi Segev
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2223982 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-23 22:44 UTC by Debarati Basu-Nag
Modified:	2024-04-13 04:25 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-12-14 16:12:25 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CNV-29008	0	None	None	None	2023-12-14 16:12:24 UTC

Comment 2 Petr Horáček 2023-07-24 08:58:08 UTC

This also affects freshly deployed 4.14 clusters https://bugzilla.redhat.com/show_bug.cgi?id=2223982

Comment 3 Petr Horáček 2023-07-24 09:03:07 UTC

*** Bug 2223982 has been marked as a duplicate of this bug. ***

Comment 4 Petr Horáček 2023-07-24 09:04:40 UTC

From the 4.14 BZ:

Sample entry (http://pastebin.test.redhat.com/1105334):
=============
tests.install_upgrade_operators.pod_security.test_pod_security_audit_log.PodSecurityViolationError: User-agent: cluster-network-addons-operator/v0.0.0 (linux/amd64) kubernetes/$Format, Violations:
	{'kind': 'Event', 'apiVersion': 'audit.k8s.io/v1', 'level': 'Metadata', 'auditID': 'aacdc782-808c-4a97-86bf-dd0ad956fec5', 'stage': 'ResponseComplete', 'requestURI': '/apis/apps/v1/namespaces/openshift-cnv/daemonsets/kube-cni-linux-bridge-plugin', 'verb': 'update', 'user': {'username': 'system:serviceaccount:openshift-cnv:cluster-network-addons-operator', 'uid': '813a213c-e689-460e-bb7f-b6bfa1dc35e9', 'groups': ['system:serviceaccounts', 'system:serviceaccounts:openshift-cnv', 'system:authenticated'], 'extra': {'authentication.kubernetes.io/pod-name': ['cluster-network-addons-operator-58d9cd5fcb-ljswg'], 'authentication.kubernetes.io/pod-uid': ['47714ae1-1883-46e0-add1-c2e91e1c7a3b']}}, 'sourceIPs': ['10.9.96.50'], 'userAgent': 'cluster-network-addons-operator/v0.0.0 (linux/amd64) kubernetes/$Format', 'objectRef': {'resource': 'daemonsets', 'namespace': 'openshift-cnv', 'name': 'kube-cni-linux-bridge-plugin', 'uid': '51f47752-0518-4b52-a6d5-3b3474fc02e8', 'apiGroup': 'apps', 'apiVersion': 'v1', 'resourceVersion': '757730'}, 'responseStatus': {'metadata': {}, 'code': 200}, 'requestReceivedTimestamp': '2023-07-18T08:06:37.217045Z', 'stageTimestamp': '2023-07-18T08:06:37.230942Z', 'annotations': {'authorization.k8s.io/decision': 'allow', 'authorization.k8s.io/reason': 'RBAC: allowed by RoleBinding "kubevirt-hyperconverged-operator.v4.14.0-cluster-net-7dcf5fd9f6/openshift-cnv" of Role "kubevirt-hyperconverged-operator.v4.14.0-cluster-net-7dcf5fd9f6" to ServiceAccount "cluster-network-addons-operator/openshift-cnv"', 'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": privileged (container "cni-plugins" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "cni-plugins" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cni-plugins" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "cnibin" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "cni-plugins" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cni-plugins" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
=============

Comment 5 Petr Horáček 2023-07-24 09:05:26 UTC

Setting the target for 4.14. Once we resolve the BZ, we can open a clone tracking 4.13 fix.

Comment 6 Petr Horáček 2023-07-24 09:08:32 UTC

@nrozen could QE provide YAML dumps of the openshift-cnv Namespace object and all cluster's scc objects from a 4.14 cluster? It would help Quique triage this BZ. Thanks.

Comment 7 Petr Horáček 2023-08-31 10:48:28 UTC

Moving to 4.14.1 since the blockers only is near and this is not a blocker.

Comment 8 Red Hat Bugzilla 2024-04-13 04:25:12 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.