Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-18561

[2089744] HCO should label its control plane namespace to admit pods at privileged security level

XMLWordPrintable

    • CNV I/U Operators Sprint 225, CNV I/U Operators Sprint 227, CNV I/U Operators Sprint 228, CNV I/U Operators Sprint 229, CNV I/U Operators Sprint 230
    • Urgent
    • None

      Description of problem:
      With OCP 4.11 the pod security admission mechanism is going to be enabled by default with restricted profile.
      See https://kubernetes.io/docs/concepts/security/pod-security-admission/ for an intro about PSA.

      With PSA we can only choose between 3 Pod Security Standards: privileged, baseline, and restricted.

      All the pods with restricted-v2 SCC are compatible with restricted PSS but in openshift-cnv currently we also have:

      cdi-deployment: containerized-data-importer SCC
      hostpath-provisioner-csi: hostpath-provisioner-csi SCC
      hpp-pool: hostpath-provisioner-csi SCC

      cluster-network-addons-operator: anyuid SCC
      bridge-marker: bridge-marker SCC
      kube-cni-linux-bridge-plugin: linux-bridge SCC

      virt-handler: kubevirt-handler SCC

      If even one of those pods cannot be made compatible with the k8s restricted PSS ( https://kubernetes.io/docs/concepts/security/pod-security-standards/ ) HCO schould (HCO is already reconcilying openshift-cnv namespace) add:
      labels:
      pod-security.kubernetes.io/enforce: privileged
      pod-security.kubernetes.io/audit: privileged
      pod-security.kubernetes.io/warn: privileged

      on openshift-cnv namespace

      User namespace with our workloads (VMs, DVs, data-import...) are not going to be affected by this because OCP 4.11 is also going to introduce the PSa Label Synchronization Controller ( https://github.com/openshift/enhancements/blob/master/enhancements/authentication/pod-security-admission-autolabeling.md ) which is going to automaticaly relabel user namespaces according to the pod with the most permissive Security Context Constraints in that namespace.
      But this is not going to handle openshift-* namespaces and so this bug.

      Version-Release number of selected component (if applicable):
      4.11

      How reproducible:
      100%

      Steps to Reproduce:
      1. deploy CNV
      2. check audit logs for pod-security.kubernetes.io/audit-violations in openshift-cnv
      3.

      Actual results:
      OCP 4.11 is still not enforcing it but it will start soon.

      Expected results:
      No audit logs entry about pod-security.kubernetes.io/audit-violations in openshift-cnv

      Additional info:

              stirabos Simone Tiraboschi
              stirabos Simone Tiraboschi
              Debarati Basu-Nag Debarati Basu-Nag
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: