Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-3077

[release-5.5] containers violate PodSecurity -- Core

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      With the introduction of the new built-in Pod Security Admission Controller that enforces the Pod Security Standards, Pods that are not configured according to the enforced security standards defined globally or on the namespace level, will not be admitted and cannot run.
      With this update, the operator and collectors are made to allow "privileged" execution and will run without security audit warnings or errors.
      Show
      With the introduction of the new built-in Pod Security Admission Controller that enforces the Pod Security Standards, Pods that are not configured according to the enforced security standards defined globally or on the namespace level, will not be admitted and cannot run. With this update, the operator and collectors are made to allow "privileged" execution and will run without security audit warnings or errors.
    • Hide

      you can simply copy the test.sh from AUTH-221

      Show
      you can simply copy the test.sh from AUTH-221
    • Log Collection - Sprint 225

      From https://kubernetes.io/docs/concepts/security/pod-security-admission/
      In v1.23(OCP 4.11), the PodSecurity feature gate is a Beta feature and is enabled by default.

      The below logging containers violate PodSecurity
      Collector:

      seLinuxOptions (containers "collector", "logfilesmetricexporter" set forbidden securityContext.seLinuxOptions: type "spc_t"), 
      unrestricted capabilities (containers "collector", "logfilesmetricexporter" must set securityContext.capabilities.drop=["ALL"]), 
      restricted volume types (volumes "varlog", "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "localtime", "datadir" use restricted volume type "hostPath"), 
      restricted volume types (volumes "varlog", "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "localtime", "filebufferstorage" use restricted volume type "hostPath"), 
      runAsNonRoot != true (pod or containers "collector", "logfilesmetricexporter" must set securityContext.runAsNonRoot=true), 
      seccompProfile (pod or containers "collector", "logfilesmetricexporter" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      

      cluster-logging-operator:

      allowPrivilegeEscalation != false (container "cluster-logging-operator" must set securityContext.allowPrivilegeEscalation=false), 
      unrestricted capabilities (container "cluster-logging-operator" must set securityContext.capabilities.drop=["ALL"]), 
      runAsNonRoot != true (pod or container "cluster-logging-operator" must set securityContext.runAsNonRoot=true), 
      seccompProfile (pod or container "cluster-logging-operator" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      

            cahartma@redhat.com Casey Hartman
            rhn-support-anli Anping Li
            Anping Li Anping Li
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: