Pod Security compliance: openshift-authentication

# All workloads creation is audited on masters with below annotation. Below cmd checks all workloads that would violate PodSecurity.
cat > cmd.txt << EOF
grep -hir 'would violate PodSecurity' /var/log/kube-apiserver/ | jq -r '.requestURI + " " + .annotations."pod-security.kubernetes.io/audit-violations"'
EOF

CMD="`cat cmd.txt`"
oc new-project xxia-test

# With admin, run above cmd on all masters:
MASTERS=`oc get no | grep master | grep -o '^[^ ]*'`
for i in $MASTERS
do
  oc debug -n xxia-test no/$i -- chroot /host bash -c "$CMD || true"
done > all-violations.txt

cat all-violations.txt | grep -E 'namespaces/(openshift|kube)-' | sort | uniq > all-violations_system_components.txt
cat all-violations_system_components.txt

./test.sh

/apis/apps/v1/namespaces/openshift-authentication/deployments/oauth-openshift would violate PodSecurity "restricted:latest": hostPath volumes (volume "audit-dir"), privileged (container "oauth-openshift" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "oauth-openshift" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "oauth-openshift" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "audit-dir" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "oauth-openshift" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "oauth-openshift" must not set runAsUser=0), seccompProfile (pod or container "oauth-openshift" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") 

oc get ns openshift-authentication -o yaml | grep pod-security # none