-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
False
-
-
False
-
CLOSED
-
---
-
---
-
-
-
Medium
-
None
+++ This bug was initially created as a clone of Bug #2133655 +++
Description of problem:
-----------------------
Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.
This bug is to fix violation in 'cdi-operator' container.
<snip>
'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cdi-operator" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cdi-operator" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cdi-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
</snip>
Version-Release number of selected component (if applicable):
-------------------------------------------------------------
4.11.1-20
How reproducible:
-----------------
Always
Expected results:
-----------------
No audit-violation to be found
— Additional comment from Maya Rashish on 2022-11-09 07:57:42 UTC —
This has been fixed in 4.12 for long enough that it's hard to find the exact version where it was fixed.
Listing some recent version of CNV.
Note this required some downstream follow up-
https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/containerized-data-importer/-/merge_requests/235/diffs?commit_id=4fb52f90c66ebd7767dd99bb47e73f5c62c08236
— Additional comment from Yan Du on 2022-11-10 08:41:19 UTC —
Test on CNV v4.12.0-628, no cdi-operator container 'pod security violation' error in audit logs.
@Maya, since it is fixed on 4.12, do we have plan to backport to 4.11?
