Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-22396

[2141669] [4.11] [pod security violation audit] Audit violation in "cdi-source-update-poller" container should be fixed

XMLWordPrintable

    • Medium
    • None

      +++ This bug was initially created as a clone of Bug #2133660 +++

      Description of problem:
      -----------------------
      Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

      [1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

      This bug is to fix violation in 'cdi-source-update-poller' container.

      <snip>
      'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cdi-source-update-poller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cdi-source-update-poller" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "cdi-source-update-poller" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cdi-source-update-poller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
      </snip>

      Version-Release number of selected component (if applicable):
      -------------------------------------------------------------
      4.11.1-20

      How reproducible:
      -----------------
      Always

      Expected results:
      -----------------
      No audit-violation to be found

      — Additional comment from Maya Rashish on 2022-11-09 07:57:37 UTC —

      This has been fixed in 4.12 for long enough that it's hard to find the exact version where it was fixed.
      Listing some recent version of CNV.

      Note this required some downstream follow up-
      https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/containerized-data-importer/-/merge_requests/235/diffs?commit_id=4fb52f90c66ebd7767dd99bb47e73f5c62c08236

      — Additional comment from Yan Du on 2022-11-10 08:43:46 UTC —

      Test on CNV v4.12.0-628, no cdi-source-update-poller container 'pod security violation' error in audit logs.

      @Maya, since it is fixed on 4.12, do we have plan to backport to 4.11?

              mhenriks@redhat.com Michael Henriksen
              mrashish Maya Rashish (Inactive)
              Yan Du Yan Du
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: