-
Task
-
Resolution: Done
-
Undefined
-
None
-
None
-
1
-
False
-
None
-
False
-
ACM-1357 - Management Support of MicroShift devices
-
No
-
-
-
MCO Sprint 20, MCO Sprint 21, MCO Sprint 22
Context
When running the endpoint operator on a microshift instance, some security warnings are raised by the kubeAPI.
Requirements
Apply recommendations from following log lines if possible:
2024-04-16T15:52:00.865Z INFO KubeAPIWarningLogger would violate PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true), hostPort (container "kube-rbac-proxy" uses hostPort 9100), allowPrivilegeEscalation != false (containers "node-exporter", "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "node-exporter", "kube-rbac-proxy" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "sys", "root" use restricted volume type "hostPath"), seccompProfile (pod or containers "node-exporter", "kube-rbac-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 2024-04-16T15:52:00.895Z INFO KubeAPIWarningLogger would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "kube-state-metrics", "kube-rbac-proxy-main", "kube-rbac-proxy-self" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "kube-state-metrics", "kube-rbac-proxy-main", "kube-rbac-proxy-self" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "kube-state-metrics" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "kube-state-metrics", "kube-rbac-proxy-main", "kube-rbac-proxy-self" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Acceptance
Security warnings have disappeared.