Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2620

containers violate PodSecurity -- Core

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Hide
      With the introduction of the new built-in Pod Security Admission Controller that enforces the Pod Security Standards, Pods that are not configured according to the enforced security standards defined globally or on the namespace level, will not be admitted and cannot run.
      With this update, the operator and collectors are made to allow "privileged" execution and will run without security audit warnings or errors.
      Show
      With the introduction of the new built-in Pod Security Admission Controller that enforces the Pod Security Standards, Pods that are not configured according to the enforced security standards defined globally or on the namespace level, will not be admitted and cannot run. With this update, the operator and collectors are made to allow "privileged" execution and will run without security audit warnings or errors.
    • Hide

      you can simply copy the test.sh from AUTH-221

      Show
      you can simply copy the test.sh from AUTH-221
    • Logging (Core) - Sprint 219, Log Collection - Sprint 222, Log Collection - Sprint 223, Log Collection - Sprint 224, Log Collection - Sprint 225

      From https://kubernetes.io/docs/concepts/security/pod-security-admission/
      In v1.23(OCP 4.11), the PodSecurity feature gate is a Beta feature and is enabled by default.

      The below logging containers violate PodSecurity
      Collector:

      seLinuxOptions (containers "collector", "logfilesmetricexporter" set forbidden securityContext.seLinuxOptions: type "spc_t"), 
unrestricted capabilities (containers "collector", "logfilesmetricexporter" must set securityContext.capabilities.drop=["ALL"]), 
restricted volume types (volumes "varlog", "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "localtime", "datadir" use restricted volume type "hostPath"), 
restricted volume types (volumes "varlog", "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "localtime", "filebufferstorage" use restricted volume type "hostPath"), 
runAsNonRoot != true (pod or containers "collector", "logfilesmetricexporter" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or containers "collector", "logfilesmetricexporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      cluster-logging-operator:

      allowPrivilegeEscalation != false (container "cluster-logging-operator" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (container "cluster-logging-operator" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or container "cluster-logging-operator" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or container "cluster-logging-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

              cahartma@redhat.com Casey Hartman
              rhn-support-anli Anping Li
              Anping Li Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: