Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: Logging 5.5.0
Affects Version/s: Logging 5.4.1
Component/s: Log Storage
Labels:
- devel_ack+
- no-rn

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Pod Security Admission Compatibility
Docs QE Status:
NEW
QE Status:
VERIFIED
Steps to Reproduce:

Hide

you can simply copy the test.sh from AUTH-221

Show
you can simply copy the test.sh from AUTH-221

Sprint:
Log Storage - Sprint 221, Log Storage - Sprint 222

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

From https://kubernetes.io/docs/concepts/security/pod-security-admission/
In v1.23(OCP 4.11), the PodSecurity feature gate is a Beta feature and is enabled by default.

The below logging containers violate PodSecurity
#lokistack-sample-distributor

allowPrivilegeEscalation != false (container "loki-distributor" must set securityContext.allowPrivilegeEscalation=false), 
 unrestricted capabilities (container "loki-distributor" must set securityContext.capabilities.drop=["ALL"]), 
 runAsNonRoot != true (pod or container "loki-distributor" must set securityContext.runAsNonRoot=true), 
 seccompProfile (pod or container "loki-distributor" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

#lokistack-sample-gateway

allowPrivilegeEscalation != false (containers "gateway", "opa" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (containers "gateway", "opa" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or containers "gateway", "opa" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or containers "gateway", "opa" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

#lokistack-sample-querier

allowPrivilegeEscalation != false (container "loki-querier" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (container "loki-querier" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or container "loki-querier" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or container "loki-querier" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

#lokistack-sample-query-frontend

allowPrivilegeEscalation != false (container "loki-query-frontend" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (container "loki-query-frontend" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or container "loki-query-frontend" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or container "loki-query-frontend" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

#lokistack-sample-compactor

allowPrivilegeEscalation != false (container "loki-compactor" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (container "loki-compactor" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or container "loki-compactor" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or container "loki-compactor" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

#lokistack-sample-index-gateway

allowPrivilegeEscalation != false (container "loki-index-gateway" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (container "loki-index-gateway" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or container "loki-index-gateway" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or container "loki-index-gateway" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

#lokistack-sample-ingester

allowPrivilegeEscalation != false (container "loki-ingester" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (container "loki-ingester" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or container "loki-ingester" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or container "loki-ingester" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

#loki-operator-controller-manager:

allowPrivilegeEscalation != false (container "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (containers "manager", "kube-rbac-proxy" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or containers "manager", "kube-rbac-proxy" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or containers "manager", "kube-rbac-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

clones

LOG-2619 containers violate PodSecurity -- Log Exporation

Closed

Assignee:: Gerard Vanloo (Inactive)

Reporter:: Anping Li

QA Contact:: Anping Li

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2022/05/13 10:09 AM

Updated:: 2023/01/23 9:37 AM

Resolved:: 2022/07/27 12:09 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates