Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Fix Version/s: CNV v4.11.0
Affects Version/s: None
Component/s: CNV Storage
Labels:
- cnv-4+
- cnvbugsm
- devel_ack+
- pm_ack+
- qa_ack+

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
BZ Status:
CLOSED
BZ URL:
https://bugzilla.redhat.com/show_bug.cgi?id=2088471
Bugzilla Bug:
RHBZ: 2088471
Regression:
No
[QE] How to address?:
---
[QE] Why QE missed?:
---

Sprint:
Storage Core Sprint 221

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Description of problem:
hostpath-provisioner-csi logs shows info-level log message related security context issue.

Version-Release number of selected component (if applicable):
4.11

How reproducible:
100%

Expected results:
Security context configuration prevents warning from occurring.

Additional info:

{"level":"info","ts":1652877318.6829474,"logger":"KubeAPIWarningLogger","msg":"would violate PodSecurity \"restricted:latest\": hostPath volumes (volumes \"socket-dir\", \"mountpoint-dir\", \"registration-dir\", \"plugins-dir\", \"hpp-csi-local-basic-data-dir\", \"hpp-csi-pvc-block-data-dir\"), privileged (containers \"hostpath-provisioner\", \"node-driver-registrar\", \"csi-provisioner\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers \"hostpath-provisioner\", \"node-driver-registrar\", \"liveness-probe\", \"csi-provisioner\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \"hostpath-provisioner\", \"node-driver-registrar\", \"liveness-probe\", \"csi-provisioner\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volumes \"socket-dir\", \"mountpoint-dir\", \"registration-dir\", \"plugins-dir\", \"hpp-csi-local-basic-data-dir\", \"hpp-csi-pvc-block-data-dir\" use restricted volume type \"hostPath\"), runAsNonRoot != true (pod or containers \"hostpath-provisioner\", \"node-driver-registrar\", \"liveness-probe\", \"csi-provisioner\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"hostpath-provisioner\", \"node-driver-registrar\", \"liveness-probe\", \"csi-provisioner\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"} {"level":"info","ts":1652877321.0855155,"logger":"KubeAPIWarningLogger","msg":"would violate PodSecurity \"restricted:latest\": hostPath volumes (volume \"host-root\"), privileged (container \"mounter\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container \"mounter\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"mounter\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volume \"host-root\" uses restricted volume type \"hostPath\"), runAsNonRoot != true (pod or container \"mounter\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"mounter\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"}

external trackers

Red Hat Errata Tool 88137

Red Hat Product Errata RHSA-2022:6526

Assignee:: Alexander Wels

Reporter:: Sarah Bennert

QA Contact:: Yan Du

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2022/05/19 2:10 PM

Updated:: 2023/08/25 1:06 PM

Resolved:: 2022/09/14 7:34 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates