Uploaded image for project: 'OpenShift CFE'
  1. OpenShift CFE
  2. CFE-754

Operator Pod Security compliance: cert-manager

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • None
    • None
    • Strategic Product Work
    • 3
    • False
    • None
    • False
    • OCPSTRAT-548 - Cert-Manager GA
    • CFE Sprint 231

      Install cert-manager from OperatorHub in OpenShift Console using latest cert-manager operator from brew registry:

      $ oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.13.0-0.nightly-2023-01-27-165107   True        False         7h35m   Cluster version is 4.13.0-0.nightly-2023-01-27-165107

$ oc get csv -n cert-manager-operator 
NAME                           DISPLAY                                       VERSION   REPLACES   PHASE
cert-manager-operator.v0.0.1   cert-manager Operator for Red Hat OpenShift   0.0.1                Succeeded
$ oc get csv -n cert-manager-operator -o yaml | grep -A 1 VERSION
                  - name: OPERAND_IMAGE_VERSION
                    value: 1.9.1
                  - name: OPERATOR_IMAGE_VERSION
                    value: 1.9.1

      $ cat check-podsecurity-audit.sh

      PATTERN='violate(s|) PodSecurity'
PODS=$(oc get po -n openshift-kube-apiserver -l apiserver --no-headers | grep -o "^[^ ]*")
for i in $PODS
do
  oc rsh -n openshift-kube-apiserver -c kube-apiserver $i bash -c "grep -hE '$PATTERN' /var/log/kube-apiserver/audit*.log || true"
done | jq -cs 'sort_by(.requestReceivedTimestamp)' | jq -c '.[]'

      Then run:

      bash check-podsecurity-audit.sh | grep cert-manager

      Got:

      {"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"67c5e41c-c79e-49c2-a2ce-964cac928663","stage":"ResponseComplete","requestURI":"/apis/apps/v1/namespaces/cert-manager/deployments","verb":"create","user":{"username":"system:serviceaccount:cert-manager-operator:cert-manager-operator-controller-manager","uid":"0e81a5cb-b548-46ad-abc7-12ee46aec536","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager-operator","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-operator-controller-manager-77f6948c47-j8pw6"],"authentication.kubernetes.io/pod-uid":["3db1e042-aa62-4818-87e0-571146da05d8"]}},"sourceIPs":["10.0.166.107"],"userAgent":"cert-manager-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"deployments","namespace":"cert-manager","name":"cert-manager-webhook","apiGroup":"apps","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestReceivedTimestamp":"2023-01-28T07:59:20.352370Z","stageTimestamp":"2023-01-28T07:59:20.455915Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cert-manager-operator.v0.0.1-75956f4974\" of ClusterRole \"cert-manager-operator.v0.0.1-75956f4974\" to ServiceAccount \"cert-manager-operator-controller-manager/cert-manager-operator\"","pod-security.kubernetes.io/audit-violations":"would violate PodSecurity \"restricted:latest\": seccompProfile (pod or container \"cert-manager\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"}}

              swghosh@redhat.com Swarup Ghosh
              xxia-1 Xingxing Xia
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: