Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2366

SCTP security issues difference from OCP 4.11 to OCP 4.12

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.12
    • None
    • Moderate
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      pod creation failed with 4.12 ec4 build

      Version-Release number of selected component (if applicable):

      Operating System: Red Hat Enterprise Linux CoreOS 412.86.202210042057-0 (Ootpa)

      How reproducible:

      Try scheduling a mentioned pod in 4.12 ec4 build in ocp cluster 

      Steps to Reproduce:

      1. Refer this document https://docs.openshift.com/container-platform/4.11/networking/using-sctp.html#nw-sctp-verifying_using-sctp
      2. Load the load-sctp-module.yaml 
      3. Create the pod with sctp-server.yaml  

      Actual results:

      [root@bastion sctp]# oc create -f sctp-server.yaml
      
      Error from server (Forbidden): error when creating "sctp-server.yaml": pods "sctpserver" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sctpserver" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sctpserver" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sctpserver" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sctpserver" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Expected results:

      pod should create successfully

      Additional info:

      Note: 
      FYI Tried doing the same in 4.11 build it was successful with same warning
      
      [root@api.testocp.cp.fyre.ibm.com chidu]# oc create -f sctp-server.yaml 
      
      Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sctpserver" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sctpserver" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sctpserver" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sctpserver" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      pod/sctpserver created

            tvardema Trevor Vardeman
            krmoser Kyle Moser (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: