Uploaded image for project: 'Network Hardware Enablement'
  1. Network Hardware Enablement
  2. NHE-442

pod security issue for ovnkube node pods created by DPU network operator

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • openshift-4.13
    • None
    • DPU
    • None 

        Warning  FailedCreate  6m29s                daemonset-controller  Error creating: pods "ovnkube-node-gfng9" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), hostPort (container "ovnkube-node" uses hostPort 29103), privileged (containers "ovn-controller", "ovnkube-node" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "ovn-controller", "ovnkube-node" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "ovn-controller", "ovnkube-node" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "systemd-units", "host-slash", "host-run-netns", "var-lib-openvswitch", "etc-openvswitch", "run-openvswitch", "run-ovn", "host-run-ovn-kubernetes" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "ovn-controller", "ovnkube-node" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "ovn-controller", "ovnkube-node" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  6m29s                daemonset-controller  Error creating: pods "ovnkube-node-vghdh" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), hostPort (container "ovnkube-node" uses hostPort 29103), privileged (containers "ovn-controller", "ovnkube-node" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "ovn-controller", "ovnkube-node" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "ovn-controller", "ovnkube-node" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "systemd-units", "host-slash", "host-run-netns", "var-lib-openvswitch", "etc-openvswitch", "run-openvswitch", "run-ovn", "host-run-ovn-kubernetes" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "ovn-controller", "ovnkube-node" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "ovn-controller", "ovnkube-node" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  6m28s                daemonset-controller  Error creating: pods "ovnkube-node-gbscx" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), hostPort (container "ovnkube-node" uses hostPort 29103), privileged (containers "ovn-controller", "ovnkube-node" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "ovn-controller", "ovnkube-node" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "ovn-controller", "ovnkube-node" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "systemd-units", "host-slash", "host-run-netns", "var-lib-openvswitch", "etc-openvswitch", "run-openvswitch", "run-ovn", "host-run-ovn-kubernetes" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "ovn-controller", "ovnkube-node" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "ovn-controller", "ovnkube-node" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
  Warning  FailedCreate  62s (x8 over 6m27s)  daemonset-controller  (combined from similar events): Error creating: pods "ovnkube-node-676bh" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true), hostPort (container "ovnkube-node" uses hostPort 29103), privileged (containers "ovn-controller", "ovnkube-node" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "ovn-controller", "ovnkube-node" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "ovn-controller", "ovnkube-node" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "systemd-units", "host-slash", "host-run-netns", "var-lib-openvswitch", "etc-openvswitch", "run-openvswitch", "run-ovn", "host-run-ovn-kubernetes" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "ovn-controller", "ovnkube-node" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "ovn-controller", "ovnkube-node" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

              bnemeth@redhat.com Balazs Nemeth
              bnemeth@redhat.com Balazs Nemeth
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: