Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10432

CSI Inline Volume admission plugin does not log object name correctly

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • 4.13
    • Storage / Kubernetes
    • None
    • Moderate
    • No
    • Storage Sprint 233
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-8220. The following is the description of the original issue:

      Description of problem:

      [CSI Inline Volume admission plugin] when using deployment/statefulset/daemonset workload with inline volume doesn't record audit logs/warning correctly

      Version-Release number of selected component (if applicable):

      4.13.0-0.ci.test-2023-03-02-013814-ci-ln-yd4m4st-latest (nightly build also could be reproduced)

      How reproducible:

      Always

      Steps to Reproduce:

      1. Enable feature gate to auto install the csi.sharedresource csi driver
      
      2. Add security.openshift.io/csi-ephemeral-volume-profile: privileged to CSIDriver 'csi.sharedresource.openshift.io' # scale down the cvo,cso and shared-resource-csi-driver-operator $ oc scale --replicas=0 deploy/cluster-version-operator -n openshift-cluster-version deployment.apps/cluster-version-operator scaled $oc scale --replicas=0 deploy/cluster-storage-operator -n openshift-cluster-storage-operator deployment.apps/cluster-storage-operator scaled $ oc scale --replicas=0 deploy/shared-resource-csi-driver-operator -n openshift-cluster-csi-drivers deployment.apps/shared-resource-csi-driver-operator scaled # Add security.openshift.io/csi-ephemeral-volume-profile: privileged to CSIDriver $ oc get csidriver/csi.sharedresource.openshift.io -o yaml apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: annotations: csi.openshift.io/managed: "true" operator.openshift.io/spec-hash: 4fc61ff54015a7e91e07b93ac8e64f46983a59b4b296344948f72187e3318b33 creationTimestamp: "2022-10-26T08:10:23Z" labels: security.openshift.io/csi-ephemeral-volume-profile: privileged
      
      3. Create different workloads with inline volume in a restricted namespace
      $ oc apply -f examples/simple 
      role.rbac.authorization.k8s.io/shared-resource-my-share-pod created 
      rolebinding.rbac.authorization.k8s.io/shared-resource-my-share-pod created configmap/my-config created sharedconfigmap.sharedresource.openshift.io/my-share-pod created 
      Error from server (Forbidden): error when creating "examples/simple/03-pod.yaml": pods "my-csi-app-pod" is forbidden: admission denied: pod my-csi-app-pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged 
      Error from server (Forbidden): error when creating "examples/simple/04-deployment.yaml": deployments.apps "mydeployment" is forbidden: admission denied: pod  uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged 
      Error from server (Forbidden): error when creating "examples/simple/05-statefulset.yaml": statefulsets.apps "my-sts" is forbidden: admission denied: pod  uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged
      
      4.  Add enforce: privileged label to the test ns and create different workloads with inline volume again 
      $ oc label ns/my-csi-app-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted --overwrite
      namespace/my-csi-app-namespace labeled
      
      $ oc apply -f examples/simple                    
      role.rbac.authorization.k8s.io/shared-resource-my-share-pod created
      rolebinding.rbac.authorization.k8s.io/shared-resource-my-share-pod created
      configmap/my-config created
      sharedconfigmap.sharedresource.openshift.io/my-share-pod created
      Warning: pod my-csi-app-pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
      pod/my-csi-app-pod created
      Warning: pod  uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged
      deployment.apps/mydeployment created
      daemonset.apps/my-ds created
      statefulset.apps/my-sts created
      
      $ oc get po                                               
      NAME                            READY   STATUS    RESTARTS   AGE
      my-csi-app-pod                  1/1     Running   0          34s
      my-ds-cw4k7                     1/1     Running   0          32s
      my-ds-sv9vp                     1/1     Running   0          32s
      my-ds-v7f9m                     1/1     Running   0          32s
      my-sts-0                        1/1     Running   0          31s
      mydeployment-664cd95cb4-4s2cd   1/1     Running   0          33s
      
      5. Check the api-server audit logs
      $ oc adm node-logs ip-10-0-211-240.us-east-2.compute.internal --path=kube-apiserver/audit.log | grep 'uses an inline volume provided by'| tail -1 | jq . | grep 'CSIInlineVolumeSecurity'
          "storage.openshift.io/CSIInlineVolumeSecurity": "pod  uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security audit level that is lower than privileged"

      Actual results:

      In step 3 and step 4: deployment workloads the warning info pod name is empty
      statefulset/daemonset workloads the warning info doesn't display
      In step 5: audit logs the pod name is empty 

      Expected results:

      In step 3 and step 4: deployment workloads the warning info pod name should be exist
      statefulset/daemonset workloads the warning info should display
      In step 5: audit logs the pod name shouldn't be empty it should record the workload type and pod specific names

      Additional info:

      Testdata:
      https://github.com/Phaow/csi-driver-shared-resource/tree/test-inlinevolume/examples/simple

              jdobson@redhat.com Jonathan Dobson
              openshift-crt-jira-prow OpenShift Prow Bot
              Penghao Wang Penghao Wang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: