Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-22398

[2141671] [4.11] [pod security violation audit] Audit violation in "cdi-controller" container should be fixed

XMLWordPrintable

    • Medium
    • None

      +++ This bug was initially created as a clone of Bug #2133659 +++

      Description of problem:
      -----------------------
      Test run[1] that looks for 'pod security violation entries' in audit logs,against 4.11.1-20, found few audit violation.

      [1] - https://main-jenkins-csb-cnvqe.apps.ocp-c1.prod.psi.redhat.com/view/cnv-tests%20runner/job/cnv-tests-runner/4297/consoleFull.

      This bug is to fix violation in 'cdi-controller' container.

      <snip>
      'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "cdi-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cdi-controller" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "cdi-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")',
      </snip>

      Version-Release number of selected component (if applicable):
      -------------------------------------------------------------
      4.11.1-20

      How reproducible:
      -----------------
      Always

      Expected results:
      -----------------
      No audit-violation to be found

      — Additional comment from Maya Rashish on 2022-11-09 07:57:40 UTC —

      This has been fixed in 4.12 for long enough that it's hard to find the exact version where it was fixed.
      Listing some recent version of CNV.

      Note this required some downstream follow up-
      https://gitlab.cee.redhat.com/cpaas-midstream/openshift-virtualization/containerized-data-importer/-/merge_requests/235/diffs?commit_id=4fb52f90c66ebd7767dd99bb47e73f5c62c08236

              mhenriks@redhat.com Michael Henriksen
              mrashish Maya Rashish (Inactive)
              Yan Du Yan Du
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: