Description: The project "openshift-storage" which is the default for the ODF is actually not Excluded from the PSA. The project is missing the labels and it is not excluded from the pod security admission plugin which means that the violations still will be reported. Errors: ~~~ zgrep -h pod-security.kubernetes.io/audit-violations must-gather.local.3394783972512996655/quay*/audit_logs/kube-apiserver/*log.gz | jq -r 'select(.annotations["pod-security.kubernetes.io/audit-violations"] != null) | (.objectRef | .namespace + " " + .name + " " + .resource) + " " + .annotations["pod-security.kubernetes.io/audit-violations"]' | sort | uniq -c 2 openshift-ops sscc-chmmas-a01ointssc-campusnl-debug pods would violate PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 1189 openshift-storage noobaa-endpoint deployments would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "endpoint" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "endpoint" must set securityContext.capabilities.drop=["ALL"]; container "endpoint" must not include "SETGID", "SETUID" in securityContext.capabilities.add), runAsNonRoot != true (pod or container "endpoint" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or container "endpoint" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 1 openshift-storage rook-ceph-crashcollector-sscc-chmsto-a01o.int.ssc-campus.nl deployments would violate PodSecurity "restricted:latest": privileged (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "rook-ceph-log", "rook-ceph-crash" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 1 openshift-storage rook-ceph-crashcollector-sscc-chmsto-a02o.int.ssc-campus.nl deployments would violate PodSecurity "restricted:latest": privileged (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "rook-ceph-log", "rook-ceph-crash" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 1 openshift-storage rook-ceph-crashcollector-sscc-chmsto-a03o.int.ssc-campus.nl deployments would violate PodSecurity "restricted:latest": privileged (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "rook-ceph-log", "rook-ceph-crash" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "make-container-crash-dir", "chown-container-data-dir", "ceph-crash" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ~~~ Fix: To label the project openshift-storage with the following labels: ~~~ "openshift.io/run-level": "0", "pod-security.kubernetes.io/audit": "privileged", "pod-security.kubernetes.io/enforce": "privileged", "pod-security.kubernetes.io/warn": "privileged" ~~~
Hi Team, Any further update on this.
Hi Nitin, Based on the Slack discussion link shared above,it seems PSA is turned on for 4.12 now and there is Jira ticket related to this. https://issues.redhat.com/browse/OCPBUGS-15737 Kindly reconfirm
Closing it as it is fixed in the OCP. pls refer the comment 8