Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-4572

collection DaemonSet violates PodSecurity in hypershift hosted project

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • NEW
    • NEW
    • Bug Fix
    • Log Collection - Sprint 243

      Description of problem:

      There is label pod-security.kubernetes.io/enforce: restricted in hypershift hosted project. collection DaemonSet violates PodSecurity when deployed in Hypershift Hosted Project

      Events:
  Type     Reason        Age                 From                  Message
  ----     ------        ----                ----                  -------
  Normal   CreateObject  20m                 clusterlogforwarder   CreateObject DaemonSet clusters-hypershift-ci-24808/http-to-cloudwatch
  Warning  FailedCreate  20m                 daemonset-controller  Error creating: pods "http-to-cloudwatch-d6wsk" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (container "collector" set forbidden securityContext.seLinuxOptions: type "spc_t"), unrestricted capabilities (container "collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogoauthserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "datadir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "collector" must set securityContext.runAsNonRoot=true)
  Warning  FailedCreate  20m                 daemonset-controller  Error creating: pods "http-to-cloudwatch-fd9dd" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (container "collector" set forbidden securityContext.seLinuxOptions: type "spc_t"), unrestricted capabilities (container "collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogoauthserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "datadir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "collector" must set securityContext.runAsNonRoot=true)

      How reproducible:

      Always

      Steps to Reproduce:

      #On Management Cluster, Create CLF under hosted cluster project.
      1) oc project ${hosted_cluster_project}
      2) give cluster-logging-operator edit roles to ${hosted_cluster_project}
      oc policy add-role-to-user edit system:serviceaccount:openshift-logging:cluster-logging-operator
      3) Create secret to cloudwatch output

       oc create secret generic cloudwatch-credentials \
    --from-literal=aws_access_key_id="${AWS_ACCESS_KEY_ID}" \
    --from-literal=aws_secret_access_key="${AWS_SECRET_ACCESS_KEY}"

      4) oc create serviceaccount clf-collector
      oc adm policy add-cluster-role-to-user collect-audit-logs -z clf-collector

      5) 

      cat <<EOF |  oc apply -f -
apiVersion: logging.openshift.io/v1
kind: ClusterLogForwarder
metadata:
  name: to-cloudwatch
spec:
  outputs:
  - name: cloudwatch
    type: cloudwatch
    cloudwatch:
      groupBy: logType
      region: us-east-2
    secret:
      name: cloudwatch-credentials
  pipelines:
    - name: to-cloudwatch
      inputRefs:
      - audit
      outputRefs:
      - cloudwatch
  serviceAccountName: clf-collector
EOF

      6. check ds status

      $oc get ds
NAME            DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
to-cloudwatch   6         0         0       0            0           kubernetes.io/os=linux   7s
$oc describe ds/to-cloudwatch

      Events:
  Type     Reason        Age                 From                  Message
  ----     ------        ----                ----                  -------
  Normal   CreateObject  2m                  clusterlogforwarder   CreateObject DaemonSet clusters-hypershift-ci-24808/to-cloudwatch
  Warning  FailedCreate  2m                  daemonset-controller  Error creating: pods "to-cloudwatch-4qwpc" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (container "collector" set forbidden securityContext.seLinuxOptions: type "spc_t"), unrestricted capabilities (container "collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogoauthserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "datadir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "collector" must set securityContext.runAsNonRoot=true)
  Warning  FailedCreate  2m                  daemonset-controller  Error creating: pods "to-cloudwatch-w6662" is forbidden: violates PodSecurity "restricted:latest": seLinuxOptions (container "collector" set forbidden securityContext.seLinuxOptions: type "spc_t"), unrestricted capabilities (container "collector" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "varlogcontainers", "varlogpods", "varlogjournal", "varlogaudit", "varlogovn", "varlogoauthapiserver", "varlogoauthserver", "varlogopenshiftapiserver", "varlogkubeapiserver", "datadir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or container "collector" must set securityContext.runAsNonRoot=true)

      Additional Info:

      We can create an pod-security.kubernetes.io/enforce: restricted as below

      apiVersion: project.openshift.io/v1
kind: Project
metadata:
  labels:
    kubernetes.io/metadata.name: test2
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: v1.24
    pod-security.kubernetes.io/enforce: restricted
  name: test3

              Unassigned Unassigned
              rhn-support-anli Anping Li
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: