Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-29008

[2209444] PSA violation messages due to a restricted profile cluster-network-addons-operator and its components: kube-cni-linux-bridge-plugin, bridge-marker

XMLWordPrintable

    • Medium
    • No

      Created attachment 1966529 [details]
      cnao audit log entries

      Description of problem:
      PSA message seen for CNAO in audit log of an upgraded cluster (4.12.3->4.13.0)

      Version-Release number of selected component (if applicable):
      4.13.0 (upgraded BM cluster from CNV 4.12.3)

      How reproducible:
      Seen 1/1 attempt

      Steps to Reproduce:
      1. On an upgraded BM cluster check audit log for PSA related message
      2.
      3.

      Actual results:
      Sample:
      =========
      {'kind': 'Event', 'apiVersion': 'audit.k8s.io/v1', 'level': 'Metadata', 'auditID': 'bc4fea33-2b73-4046-8e6d-eefa1d57fcdf', 'stage': 'ResponseComplete', 'requestURI': '/apis/apps/v1/namespaces/openshift-cnv/daemonsets/kube-cni-linux-bridge-plugin', 'verb': 'update', 'user': {'username': 'system:serviceaccount:openshift-cnv:cluster-network-addons-operator', 'uid': '118b836f-9eb2-4e01-ac91-a4916d1477e0', 'groups': ['system:serviceaccounts', 'system:serviceaccounts:openshift-cnv', 'system:authenticated'], 'extra': {'authentication.kubernetes.io/pod-name': ['cluster-network-addons-operator-789f8f8846-rngxc'], 'authentication.kubernetes.io/pod-uid': ['440049b1-bcf5-4e79-b92c-860deda712b7']}}, 'sourceIPs': ['10.1.156.11'], 'userAgent': 'cluster-network-addons-operator/v0.0.0 (linux/amd64) kubernetes/$Format', 'objectRef':

      {'resource': 'daemonsets', 'namespace': 'openshift-cnv', 'name': 'kube-cni-linux-bridge-plugin', 'uid': '324f0352-86ca-4671-bc17-b30ec4592cf5', 'apiGroup': 'apps', 'apiVersion': 'v1', 'resourceVersion': '228694'}

      , 'responseStatus': {'metadata': {}, 'code': 200}, 'requestReceivedTimestamp': '2023-05-17T20:04:43.746245Z', 'stageTimestamp': '2023-05-17T20:04:43.750636Z', 'annotations': {'authorization.k8s.io/decision': 'allow', 'authorization.k8s.io/reason': 'RBAC: allowed by ClusterRoleBinding "kubevirt-hyperconverged-operator.v4.12.3-57cc7db8bb" of ClusterRole "kubevirt-hyperconverged-operator.v4.12.3-57cc7db8bb" to ServiceAccount "cluster-network-addons-operator/openshift-cnv"', 'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": privileged (container "cni-plugins" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "cni-plugins" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "cni-plugins" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "cnibin" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "cni-plugins" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "cni-plugins" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
      ======================
      More examples are attached.

      Expected results:
      No PSA related entries in audit log

      Additional info:

        1. cluster-sccs.yaml
          31 kB
        2. openshift-cnv-namespace.yaml
          1 kB

              ellorent Felix Enrique Llorente Pastora
              rhn-support-dbasunag Debarati Basu-Nag
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: