Details
-
Bug
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
Description
$ cat test.sh
# All workloads creation is audited on masters with below annotation. Below cmd checks all workloads that would violate PodSecurity. cat > cmd.txt << EOF grep -hir 'would violate PodSecurity' /var/log/kube-apiserver/ | jq -r '.requestURI + " " + .annotations."pod-security.kubernetes.io/audit-violations"' EOF CMD="`cat cmd.txt`" oc new-project xxia-test # With admin, run above cmd on all masters: MASTERS=`oc get no | grep master | grep -o '^[^ ]*'` for i in $MASTERS do oc debug -n xxia-test no/$i -- chroot /host bash -c "$CMD || true" done > all-violations.txt cat all-violations.txt | grep -E 'namespaces/(openshift|kube)-' | sort | uniq > all-violations_system_components.txt cat all-violations_system_components.txt
In 4.11.0-0.nightly-2022-05-10-174822 env, run above script with admin:
./test.sh
Got:
/apis/apps/v1/namespaces/openshift-authentication/deployments/oauth-openshift would violate PodSecurity "restricted:latest": hostPath volumes (volume "audit-dir"), privileged (container "oauth-openshift" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "oauth-openshift" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "oauth-openshift" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "audit-dir" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "oauth-openshift" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "oauth-openshift" must not set runAsUser=0), seccompProfile (pod or container "oauth-openshift" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
The log talks about container "oauth-openshift", it is from pods under namespace openshift-authentication. Check this namespace, it does not specify pod-security labels:
oc get ns openshift-authentication -o yaml | grep pod-security # none
This namespace should add pod security label to make the warning disappear.