-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
In latest 4.11 env with latest 1.8.0 openshift-cert-manager-operator installed, checked audit logs on masters, found:
/apis/apps/v1/namespaces/openshift-cert-manager/deployments/cert-manager-cainjector would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cert-manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cert-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cert-manager/deployments would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cert-manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cert-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cert-manager-operator/deployments/cert-manager-operator would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cert-manager-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cert-manager-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cert-manager-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cert-manager-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cert-manager-operator/deployments would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cert-manager-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cert-manager-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cert-manager-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cert-manager-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cert-manager-operator/replicasets would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cert-manager-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cert-manager-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cert-manager-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cert-manager-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /apis/apps/v1/namespaces/openshift-cert-manager/replicasets would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cert-manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cert-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") /api/v1/namespaces/openshift-cert-manager-operator/pods would violate PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "cert-manager-operator" must set securityContext.runAsNonRoot=true)
Have raised this in #control-plane-qe channel yesterday, checked https://github.com/openshift/cert-manager-operator/pulls today, no new PR for it. So creating this Jira issue as tracker in case forgotten.
- is cloned by
-
CFE-754 Operator Pod Security compliance: cert-manager
-
- Closed
-