Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Do
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Pod Security Admission

SFDC Cases Links:
SFDC Cases Counter:

Description

In latest 4.11 env with latest 1.8.0 openshift-cert-manager-operator installed, checked audit logs on masters, found:

/apis/apps/v1/namespaces/openshift-cert-manager/deployments/cert-manager-cainjector would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cert-manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cert-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

/apis/apps/v1/namespaces/openshift-cert-manager/deployments would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cert-manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cert-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

/apis/apps/v1/namespaces/openshift-cert-manager-operator/deployments/cert-manager-operator would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cert-manager-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cert-manager-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cert-manager-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cert-manager-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

/apis/apps/v1/namespaces/openshift-cert-manager-operator/deployments would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cert-manager-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cert-manager-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cert-manager-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cert-manager-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

/apis/apps/v1/namespaces/openshift-cert-manager-operator/replicasets would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cert-manager-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cert-manager-operator" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cert-manager-operator" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cert-manager-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

/apis/apps/v1/namespaces/openshift-cert-manager/replicasets would violate PodSecurity "restricted:latest": unrestricted capabilities (container "cert-manager" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cert-manager" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

/api/v1/namespaces/openshift-cert-manager-operator/pods would violate PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "cert-manager-operator" must set securityContext.runAsNonRoot=true)

Have raised this in #control-plane-qe channel yesterday, checked https://github.com/openshift/cert-manager-operator/pulls today, no new PR for it. So creating this Jira issue as tracker in case forgotten.

Attachments

Issue Links

is cloned by

CFE-754 Operator Pod Security compliance: cert-manager

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Xingxing Xia

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2022/05/13 3:31 AM

Updated:: 2023/01/28 10:43 AM

Resolved:: 2022/06/23 12:50 PM