Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2366

SCTP security issues difference from OCP 4.11 to OCP 4.12

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Normal
    • None
    • 4.12
    • Multi-Arch / IBM P and Z
    • None
    • Moderate
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      pod creation failed with 4.12 ec4 build

      Version-Release number of selected component (if applicable):

      Operating System: Red Hat Enterprise Linux CoreOS 412.86.202210042057-0 (Ootpa)

      How reproducible:

      Try scheduling a mentioned pod in 4.12 ec4 build in ocp cluster

      Steps to Reproduce:

      1. Refer this document https://docs.openshift.com/container-platform/4.11/networking/using-sctp.html#nw-sctp-verifying_using-sctp
2. Load the load-sctp-module.yaml 
3. Create the pod with sctp-server.yaml 

      Actual results:

      [root@bastion sctp]# oc create -f sctp-server.yaml

Error from server (Forbidden): error when creating "sctp-server.yaml": pods "sctpserver" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sctpserver" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sctpserver" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sctpserver" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sctpserver" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

      Expected results:

      pod should create successfully

      Additional info:

      Note: 
FYI Tried doing the same in 4.11 build it was successful with same warning

[root@api.testocp.cp.fyre.ibm.com chidu]# oc create -f sctp-server.yaml 

Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "sctpserver" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "sctpserver" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "sctpserver" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "sctpserver" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
pod/sctpserver created

      Attachments

        Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-262 Pod Security Admission Integration - Restricted Enforcement

          • Critical - To be worked on immediately following BLOCKER issues.
          • In Progress

          Activity

            People

              tvardema Trevor Vardeman
              krmoser Kyle Moser (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: