-
Bug
-
Resolution: Done-Errata
-
None
-
False
-
-
False
-
CLOSED
-
No
-
---
-
---
-
Storage Core Sprint 221
Description of problem:
hostpath-provisioner-csi logs shows info-level log message related security context issue.
Version-Release number of selected component (if applicable):
4.11
How reproducible:
100%
Expected results:
Security context configuration prevents warning from occurring.
Additional info:
{"level":"info","ts":1652877318.6829474,"logger":"KubeAPIWarningLogger","msg":"would violate PodSecurity \"restricted:latest\": hostPath volumes (volumes \"socket-dir\", \"mountpoint-dir\", \"registration-dir\", \"plugins-dir\", \"hpp-csi-local-basic-data-dir\", \"hpp-csi-pvc-block-data-dir\"), privileged (containers \"hostpath-provisioner\", \"node-driver-registrar\", \"csi-provisioner\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers \"hostpath-provisioner\", \"node-driver-registrar\", \"liveness-probe\", \"csi-provisioner\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \"hostpath-provisioner\", \"node-driver-registrar\", \"liveness-probe\", \"csi-provisioner\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volumes \"socket-dir\", \"mountpoint-dir\", \"registration-dir\", \"plugins-dir\", \"hpp-csi-local-basic-data-dir\", \"hpp-csi-pvc-block-data-dir\" use restricted volume type \"hostPath\"), runAsNonRoot != true (pod or containers \"hostpath-provisioner\", \"node-driver-registrar\", \"liveness-probe\", \"csi-provisioner\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"hostpath-provisioner\", \"node-driver-registrar\", \"liveness-probe\", \"csi-provisioner\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"} {"level":"info","ts":1652877321.0855155,"logger":"KubeAPIWarningLogger","msg":"would violate PodSecurity \"restricted:latest\": hostPath volumes (volume \"host-root\"), privileged (container \"mounter\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container \"mounter\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"mounter\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volume \"host-root\" uses restricted volume type \"hostPath\"), runAsNonRoot != true (pod or container \"mounter\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"mounter\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"}- external trackers