Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2619

containers violate PodSecurity -- Log Exporation

XMLWordPrintable

    • Log Storage - Sprint 221, Log Storage - Sprint 222

      From https://kubernetes.io/docs/concepts/security/pod-security-admission/
      In v1.23(OCP 4.11), the PodSecurity feature gate is a Beta feature and is enabled by default.

      The below logging containers violate PodSecurity

      kibana:
      allowPrivilegeEscalation != false (containers "kibana", "kibana-proxy" must set securityContext.allowPrivilegeEscalation=false)
      unrestricted capabilities (containers "kibana", "kibana-proxy" must set securityContext.capabilities.drop=["ALL"]),
      runAsNonRoot != true (pod or containers "kibana", "kibana-proxy" must set securityContext.runAsNonRoot=true)
      seccompProfile (pod or containers "kibana", "kibana-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      elasticsearch:
      unrestricted capabilities (containers "elasticsearch", "proxy" must set securityContext.capabilities.drop=["ALL"])
      runAsNonRoot != true (pod or containers "elasticsearch", "proxy" must set securityContext.runAsNonRoot=true)
      seccompProfile (pod or containers "elasticsearch", "proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      indexmanagement:
      allowPrivilegeEscalation != false (container "indexmanagement" must set securityContext.allowPrivilegeEscalation=false)
      unrestricted capabilities (container "indexmanagement" must set securityContext.capabilities.drop=["ALL"])
      runAsNonRoot != true (pod or container "indexmanagement" must set securityContext.runAsNonRoot=true)
      seccompProfile (pod or container "indexmanagement" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      elasticsearch-operator:
      allowPrivilegeEscalation != false (container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false)
      unrestricted capabilities (containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.capabilities.drop=["ALL"])
      runAsNonRoot != true (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.runAsNonRoot=true)
      seccompProfile (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

            rhn-support-abelkour Mohamed Amine Belkoura
            rhn-support-anli Anping Li
            Anping Li Anping Li
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: