Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-18561

[2089744] HCO should label its control plane namespace to admit pods at privileged security level

    XMLWordPrintable

Details

    • CNV I/U Operators Sprint 225, CNV I/U Operators Sprint 227, CNV I/U Operators Sprint 228, CNV I/U Operators Sprint 229, CNV I/U Operators Sprint 230
    • Urgent

    Description

      Description of problem:
      With OCP 4.11 the pod security admission mechanism is going to be enabled by default with restricted profile.
      See https://kubernetes.io/docs/concepts/security/pod-security-admission/ for an intro about PSA.

      With PSA we can only choose between 3 Pod Security Standards: privileged, baseline, and restricted.

      All the pods with restricted-v2 SCC are compatible with restricted PSS but in openshift-cnv currently we also have:

      cdi-deployment: containerized-data-importer SCC
      hostpath-provisioner-csi: hostpath-provisioner-csi SCC
      hpp-pool: hostpath-provisioner-csi SCC

      cluster-network-addons-operator: anyuid SCC
      bridge-marker: bridge-marker SCC
      kube-cni-linux-bridge-plugin: linux-bridge SCC

      virt-handler: kubevirt-handler SCC

      If even one of those pods cannot be made compatible with the k8s restricted PSS ( https://kubernetes.io/docs/concepts/security/pod-security-standards/ ) HCO schould (HCO is already reconcilying openshift-cnv namespace) add:
      labels:
      pod-security.kubernetes.io/enforce: privileged
      pod-security.kubernetes.io/audit: privileged
      pod-security.kubernetes.io/warn: privileged

      on openshift-cnv namespace

      User namespace with our workloads (VMs, DVs, data-import...) are not going to be affected by this because OCP 4.11 is also going to introduce the PSa Label Synchronization Controller ( https://github.com/openshift/enhancements/blob/master/enhancements/authentication/pod-security-admission-autolabeling.md ) which is going to automaticaly relabel user namespaces according to the pod with the most permissive Security Context Constraints in that namespace.
      But this is not going to handle openshift-* namespaces and so this bug.

      Version-Release number of selected component (if applicable):
      4.11

      How reproducible:
      100%

      Steps to Reproduce:
      1. deploy CNV
      2. check audit logs for pod-security.kubernetes.io/audit-violations in openshift-cnv
      3.

      Actual results:
      OCP 4.11 is still not enforcing it but it will start soon.

      Expected results:
      No audit logs entry about pod-security.kubernetes.io/audit-violations in openshift-cnv

      Additional info:

      Attachments

        Issue Links

          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. CNV-21780 [2133540] [pod security violation audit] Audit violation in "cni-plugins" container should be fixed

          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21781 [2133541] [pod security violation audit] Audit violation in "bridge-marker" container should be fixed

          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21782 [2133542] [pod security violation audit] Audit violation in "manager" container should be fixed

          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21783 [2133543] [pod security violation audit] Audit violation in "kube-rbac-proxy" container should be fixed

          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21785 [2133654] [pod security violation audit] Audit violation in "virt-operator" container should be fixed

          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21788 [2133657] [pod security violation audit] Audit violation in "mounter" container should be fixed

          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21418 [2128997] [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21786 [2133655] [pod security violation audit] Audit violation in "cdi-operator" container should be fixed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21787 [2133656] [4.12][pod security violation audit] Audit violation in "hostpath-provisioner-operator" container should be fixed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21789 [2133659] [pod security violation audit] Audit violation in "cdi-controller" container should be fixed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-21790 [2133660] [pod security violation audit] Audit violation in "cdi-source-update-poller" container should be fixed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-22301 [2140406] [4.11][pod security violation audit] Audit violation in "hostpath-provisioner-operator" container should be fixed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-22396 [2141669] [4.11] [pod security violation audit] Audit violation in "cdi-source-update-poller" container should be fixed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-22397 [2141670] [4.11] [pod security violation audit] Audit violation in "cdi-operator" container should be fixed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. CNV-22398 [2141671] [4.11] [pod security violation audit] Audit violation in "cdi-controller" container should be fixed

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          external trackers

          Web Link Github kubevirt/hyperconverged-cluster-operator/pull/2036

          Web Link Github kubevirt/hyperconverged-cluster-operator/pull/2041

          Web Link Red Hat Errata Tool 95482

          Web Link Red Hat Issue Tracker CNV-18561

          Web Link Red Hat Product Errata RHSA-2023:0408

          Activity

            People

              stirabos Simone Tiraboschi
              stirabos Simone Tiraboschi
              Debarati Basu-Nag Debarati Basu-Nag
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: