Uploaded image for project: 'Cloud Enablement'
  1. Cloud Enablement
  2. CLOUD-4133

OpenShift changes to Pod Security Standards

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • Major
    • None
    • EAP74 7.4.7.GA
    • EAP7
    • None
    • False
    • None
    • False

    Description

      As we found out during EAP testing recent changes in pod security standards for OCP 4.11 and 4.12 described in https://connect.redhat.com/blog/important-openshift-changes-pod-security-standards might affect the results of our OCP PIT tests such as the failure described in https://bugzilla.redhat.com/show_bug.cgi?id=2120979.

      Error message seen during the test failure seems to be related to the changes:

      Invoking command: curl -k http://192.169.3.127:32736 on node sdntmvxd-nfnkk-worker-0-qtndd failed.
 Error output is: error: PodSecurity violation error:
Ensure the target namespace has the appropriate security level set or consider creating a dedicated privileged namespace using:
 "oc create ns <namespace> -o yaml | oc label -f - pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged".

Original error:
pods "sdntmvxd-nfnkk-worker-0-qtndd-debug" is forbidden: violates PodSecurity "restricted:v1.24": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Question is if the error is caused by the wrong pod security configuration.
      Could you please clarify from ENG point of view what is the correct and sugggested security configuration on pods/namespace? E.g. what exact labels need to be set ...? Thanks in advance.

      Attachments

        Activity

          People

            kwills@redhat.com Ken Wills
            dcihak@redhat.com Daniel Cihak
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: