Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: Logging 5.5.0
Affects Version/s: Logging 5.5.0, Logging 5.4.1
Component/s: Log Storage
Labels:
- devel_ack+

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Pod Security Admission Compatibility
Docs QE Status:
NEW
QE Status:
NEW
Steps to Reproduce:

Hide

you can simply copy the test.sh from AUTH-221

Show
you can simply copy the test.sh from AUTH-221

Sprint:
Log Storage - Sprint 221, Log Storage - Sprint 222

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

From https://kubernetes.io/docs/concepts/security/pod-security-admission/
In v1.23(OCP 4.11), the PodSecurity feature gate is a Beta feature and is enabled by default.

The below logging containers violate PodSecurity

kibana:
allowPrivilegeEscalation != false (containers "kibana", "kibana-proxy" must set securityContext.allowPrivilegeEscalation=false)
unrestricted capabilities (containers "kibana", "kibana-proxy" must set securityContext.capabilities.drop=["ALL"]),
runAsNonRoot != true (pod or containers "kibana", "kibana-proxy" must set securityContext.runAsNonRoot=true)
seccompProfile (pod or containers "kibana", "kibana-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

elasticsearch:
unrestricted capabilities (containers "elasticsearch", "proxy" must set securityContext.capabilities.drop=["ALL"])
runAsNonRoot != true (pod or containers "elasticsearch", "proxy" must set securityContext.runAsNonRoot=true)
seccompProfile (pod or containers "elasticsearch", "proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

indexmanagement:
allowPrivilegeEscalation != false (container "indexmanagement" must set securityContext.allowPrivilegeEscalation=false)
unrestricted capabilities (container "indexmanagement" must set securityContext.capabilities.drop=["ALL"])
runAsNonRoot != true (pod or container "indexmanagement" must set securityContext.runAsNonRoot=true)
seccompProfile (pod or container "indexmanagement" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

elasticsearch-operator:
allowPrivilegeEscalation != false (container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false)
unrestricted capabilities (containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.capabilities.drop=["ALL"])
runAsNonRoot != true (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.runAsNonRoot=true)
seccompProfile (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

is cloned by

LOG-2620 containers violate PodSecurity -- Core

Closed

LOG-2627 containers violate PodSecurity -- Loki

Closed

Assignee:: Mohamed Amine Belkoura

Reporter:: Anping Li

QA Contact:: Anping Li

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2022/05/12 12:48 PM

Updated:: 2022/08/12 5:04 PM

Resolved:: 2022/08/05 12:28 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates