Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4572

collection DaemonSet violates PodSecurity in hypershift hosted project

XMLWordPrintable

    • False
    • None
    • False
    • NEW
    • NEW
    • Bug Fix
    • Log Collection - Sprint 243

      Description of problem:

      There is label pod-security.kubernetes.io/enforce: restricted in hypershift hosted project. collection DaemonSet violates PodSecurity when deployed in Hypershift Hosted Project

      Events:
        Type     Reason        Age                 From                  Message
        ----     ------        ----                ----                  -------
        Normal   CreateObject  20m                 clusterlogforwarder   CreateObject DaemonSet clusters-hypershift-ci-24808/http-to-cloudwatch
        Warning  FailedCreate  20m                 daemonset-controller  Error creating: pods "http-to-cloudwatch-d6wsk" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (container "collector" set forbidden securityContext.seLinuxOptions: type "spc_t"), unrestricted capabilities (container "collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogoauthserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "datadir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "collector" must set securityContext.runAsNonRoot=true)
        Warning  FailedCreate  20m                 daemonset-controller  Error creating: pods "http-to-cloudwatch-fd9dd" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (container "collector" set forbidden securityContext.seLinuxOptions: type "spc_t"), unrestricted capabilities (container "collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogoauthserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "datadir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "collector" must set securityContext.runAsNonRoot=true)
      

      How reproducible:

      Always

      Steps to Reproduce:

      #On Management Cluster, Create CLF under hosted cluster project.
      1) oc project ${hosted_cluster_project}
      2) give cluster-logging-operator edit roles to ${hosted_cluster_project}
      oc policy add-role-to-user edit system:serviceaccount:openshift-logging:cluster-logging-operator
      3) Create secret to cloudwatch output

       oc create secret generic cloudwatch-credentials \
          --from-literal=aws_access_key_id="${AWS_ACCESS_KEY_ID}" \
          --from-literal=aws_secret_access_key="${AWS_SECRET_ACCESS_KEY}"
      

      4) oc create serviceaccount clf-collector
      oc adm policy add-cluster-role-to-user collect-audit-logs -z clf-collector

      5)

      cat <<EOF |  oc apply -f -
      apiVersion: logging.openshift.io/v1
      kind: ClusterLogForwarder
      metadata:
        name: to-cloudwatch
      spec:
        outputs:
        - name: cloudwatch
          type: cloudwatch
          cloudwatch:
            groupBy: logType
            region: us-east-2
          secret:
            name: cloudwatch-credentials
        pipelines:
          - name: to-cloudwatch
            inputRefs:
            - audit
            outputRefs:
            - cloudwatch
        serviceAccountName: clf-collector
      EOF
      

      6. check ds status

      $oc get ds
      NAME            DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
      to-cloudwatch   6         0         0       0            0           kubernetes.io/os=linux   7s
      $oc describe ds/to-cloudwatch
      
      Events:
        Type     Reason        Age                 From                  Message
        ----     ------        ----                ----                  -------
        Normal   CreateObject  2m                  clusterlogforwarder   CreateObject DaemonSet clusters-hypershift-ci-24808/to-cloudwatch
        Warning  FailedCreate  2m                  daemonset-controller  Error creating: pods "to-cloudwatch-4qwpc" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (container "collector" set forbidden securityContext.seLinuxOptions: type "spc_t"), unrestricted capabilities (container "collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogoauthserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "datadir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "collector" must set securityContext.runAsNonRoot=true)
        Warning  FailedCreate  2m                  daemonset-controller  Error creating: pods "to-cloudwatch-w6662" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (container "collector" set forbidden securityContext.seLinuxOptions: type "spc_t"), unrestricted capabilities (container "collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogoauthserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "datadir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "collector" must set securityContext.runAsNonRoot=true)
      

      Additional Info:

      We can create an pod-security.kubernetes.io/enforce: restricted as below

      apiVersion: project.openshift.io/v1
      kind: Project
      metadata:
        labels:
          kubernetes.io/metadata.name: test2
          pod-security.kubernetes.io/audit: restricted
          pod-security.kubernetes.io/audit-version: v1.24
          pod-security.kubernetes.io/warn: restricted
          pod-security.kubernetes.io/warn-version: v1.24
          pod-security.kubernetes.io/enforce: restricted
        name: test3
      

            Unassigned Unassigned
            rhn-support-anli Anping Li
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: