Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-31152

[2223948] PodSecurity violations messages found in virt-operator

XMLWordPrintable

    • CNV I/U Operators Sprint 241, CNV I/U Operators Sprint 242
    • Moderate
    • No

      http://pastebin.test.redhat.com/1105334

      Description of problem: In audit log of a freshly deployed 4.14.0 cluster, I see pod security violation messages due to restricted profile virt-operator virt-launcher, virt-handler

      Version-Release number of selected component (if applicable):
      4.14.0

      How reproducible:
      100%

      Steps to Reproduce:
      1.deploy CNV
      2. Check audit logs of 4.14.0

      Actual results:
      Sample entry (http://pastebin.test.redhat.com/1105334):
      =============
      User-agent: virt-operator/v0.0.0 (linux/amd64) kubernetes/$Format, Violations:
      {'kind': 'Event', 'apiVersion': 'audit.k8s.io/v1', 'level': 'Metadata', 'auditID': '9cfee1fa-78eb-47ee-a927-c3836cea6d39', 'stage': 'ResponseComplete', 'requestURI': '/apis/apps/v1/namespaces/openshift-cnv/daemonsets/virt-handler', 'verb': 'patch', 'user': {'username': 'system:serviceaccount:openshift-cnv:kubevirt-operator', 'uid': 'f968dcac-34bb-481d-bd7e-b2cda614d888', 'groups': ['system:serviceaccounts', 'system:serviceaccounts:openshift-cnv', 'system:authenticated'], 'extra': {'authentication.kubernetes.io/pod-name': ['virt-operator-6749d94f-9h6bv'], 'authentication.kubernetes.io/pod-uid': ['47a3dd95-c28d-433c-97c9-be3278d9ec3c']}}, 'sourceIPs': ['10.9.96.49'], 'userAgent': 'virt-operator/v0.0.0 (linux/amd64) kubernetes/$Format', 'objectRef':

      {'resource': 'daemonsets', 'namespace': 'openshift-cnv', 'name': 'virt-handler', 'apiGroup': 'apps', 'apiVersion': 'v1'}

      , 'responseStatus': {'metadata': {}, 'code': 200}, 'requestReceivedTimestamp': '2023-07-18T13:09:59.697520Z', 'stageTimestamp': '2023-07-18T13:09:59.716472Z', 'annotations': {'authorization.k8s.io/decision': 'allow', 'authorization.k8s.io/reason': 'RBAC: allowed by ClusterRoleBinding "kubevirt-hyperconverged-operator.v4.14.0-68bd6f97f6" of ClusterRole "kubevirt-hyperconverged-operator.v4.14.0-68bd6f97f6" to ServiceAccount "kubevirt-operator/openshift-cnv"', 'pod-security.kubernetes.io/audit-violations': 'would violate PodSecurity "restricted:latest": host namespaces (hostPID=true), privileged (containers "virt-launcher", "virt-handler" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "virt-launcher", "virt-handler" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "virt-launcher", "virt-handler" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "libvirt-runtimes", "virt-share-dir", "virt-lib-dir", "virt-private-dir", "device-plugin", "kubelet-pods-shortened", "kubelet-pods", "node-labeller" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "virt-launcher", "virt-handler" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "virt-launcher", "virt-handler" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")'}}
      =============

      Details attached.

      Expected results:
      No pod security violation message

      Additional info:
      http://pastebin.test.redhat.com/1105334
      https://kubernetes.io/docs/concepts/security/pod-security-admission/
      https://bugzilla.redhat.com/show_bug.cgi?id=2089744

              stirabos Simone Tiraboschi
              rh-ee-ahafe Ahmad Hafi
              Debarati Basu-Nag Debarati Basu-Nag
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: