Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2619

containers violate PodSecurity -- Log Exporation

    XMLWordPrintable

Details

    • Log Storage - Sprint 221, Log Storage - Sprint 222

    Description

      From https://kubernetes.io/docs/concepts/security/pod-security-admission/
      In v1.23(OCP 4.11), the PodSecurity feature gate is a Beta feature and is enabled by default.

      The below logging containers violate PodSecurity

      kibana:
      allowPrivilegeEscalation != false (containers "kibana", "kibana-proxy" must set securityContext.allowPrivilegeEscalation=false)
      unrestricted capabilities (containers "kibana", "kibana-proxy" must set securityContext.capabilities.drop=["ALL"]),
      runAsNonRoot != true (pod or containers "kibana", "kibana-proxy" must set securityContext.runAsNonRoot=true)
      seccompProfile (pod or containers "kibana", "kibana-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      elasticsearch:
      unrestricted capabilities (containers "elasticsearch", "proxy" must set securityContext.capabilities.drop=["ALL"])
      runAsNonRoot != true (pod or containers "elasticsearch", "proxy" must set securityContext.runAsNonRoot=true)
      seccompProfile (pod or containers "elasticsearch", "proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      indexmanagement:
      allowPrivilegeEscalation != false (container "indexmanagement" must set securityContext.allowPrivilegeEscalation=false)
      unrestricted capabilities (container "indexmanagement" must set securityContext.capabilities.drop=["ALL"])
      runAsNonRoot != true (pod or container "indexmanagement" must set securityContext.runAsNonRoot=true)
      seccompProfile (pod or container "indexmanagement" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      elasticsearch-operator:
      allowPrivilegeEscalation != false (container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false)
      unrestricted capabilities (containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.capabilities.drop=["ALL"])
      runAsNonRoot != true (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.runAsNonRoot=true)
      seccompProfile (pod or containers "kube-rbac-proxy", "elasticsearch-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. LOG-2620 containers violate PodSecurity -- Core

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. LOG-2627 containers violate PodSecurity -- Loki

          • Undefined - Priority not specified.
          • Closed

          Activity

            People

              rhn-support-abelkour Mohamed Amine Belkoura
              rhn-support-anli Anping Li
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: