Uploaded image for project: 'Cloud Enablement'
  1. Cloud Enablement
  2. CLOUD-4133

OpenShift changes to Pod Security Standards


    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • EAP74 7.4.7.GA
    • EAP7
    • None
    • False
    • None
    • False

      As we found out during EAP testing recent changes in pod security standards for OCP 4.11 and 4.12 described in https://connect.redhat.com/blog/important-openshift-changes-pod-security-standards might affect the results of our OCP PIT tests such as the failure described in https://bugzilla.redhat.com/show_bug.cgi?id=2120979.

      Error message seen during the test failure seems to be related to the changes:

      Invoking command: curl -k on node sdntmvxd-nfnkk-worker-0-qtndd failed.
       Error output is: error: PodSecurity violation error:
      Ensure the target namespace has the appropriate security level set or consider creating a dedicated privileged namespace using:
       "oc create ns <namespace> -o yaml | oc label -f - pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged".
      Original error:
      pods "sdntmvxd-nfnkk-worker-0-qtndd-debug" is forbidden: violates PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Question is if the error is caused by the wrong pod security configuration.
      Could you please clarify from ENG point of view what is the correct and sugggested security configuration on pods/namespace? E.g. what exact labels need to be set ...? Thanks in advance.

            kwills@redhat.com Ken Wills
            dcihak@redhat.com Daniel Cihak
            0 Vote for this issue
            5 Start watching this issue