-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
4.11
-
None
-
Moderate
-
None
-
False
-
Description of problem:
In 4.11.9 to 4.11.12 CI, PodSecurityViolation fires (per PromeCIeus). It's partly because of various e2e workloads, but also because of the service-ca Deployment:
$ curl -s https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-upgrade/1585394383170048000/artifacts/e2e-gcp-upgrade/audit-logs.tar | tar xz --strip-components=2 $ zgrep -h pod-security.kubernetes.io/audit-violations kube-apiserver/*log.gz | grep openshift-service-ca | grep deployments | jq -r 'select(.annotations["pod-security.kubernetes.io/audit-violations"] != null).annotations["pod-security.kubernetes.io/audit-violations"]' would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "service-ca-controller" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "service-ca-controller" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "service-ca-controller" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Version-Release number of selected component (if applicable):
At least 4.11.9 or 4.11.12. Probably both. Likely other 4.11+ releases as well.
How reproducible:
I haven't looked, but I expect it to be 100% reproducible. May not even need updates.
Steps to Reproduce:
1. Run CI jobs.
2. Grep their audit logs for pod-security.kubernetes.io/audit-violations associated with openshift-service-ca.
Actual results:
Hits for the service-ca Deployment and associated ReplicaSets.
Expected results:
No hits at all
Additional information:
Presumably needs some bumps in here. And possibly adjustments to whatever is reconciling that data with the cluster, depending on how it handles the requested properties like seccompProfile.