Loading...

Type: Bug
Resolution: Not a Bug
Priority: Critical
Fix Version/s: 4.13.0
Affects Version/s: 4.13.0
Component/s: Compliance Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:

4.13.0
Release Blocker:
Proposed
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

The compliancesuite hangs at Launching status due to PSA

Version-Release number of selected component (if applicable):

4.13.0-0.nightly-2023-02-07-064924 + compliance-operator.v0.1.60-3

How reproducible:

Always

Steps to Reproduce:

Install compliance operator
Trigger a scan with profile/ocp4-cis-node

$ oc compliance bind -N test -S default profile/ocp4-cis profile/ocp4-cis-node

3. Check the status of the compliancesuite created

Actual results:

The compliancesuite will hang at “Launching” status due to PSA:

{"level":"error","ts":"2023-02-09T08:19:58.460Z","logger":"scanctrl","msg":"Failed to launch a pod","Request.Namespace":"openshift-compliance","Request.Name":"master-scan7f9c25r5fx","Pod.Name":"openscap-pod-5f3357193d5e6288dc224f019533d153fa13afeb","error":"pods \"openscap-pod-5f3357193d5e6288dc224f019533d153fa13afeb\" is forbidden: violates PodSecurity \"restricted:latest\": privileged (container \"scanner\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container \"scanner\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"scanner\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volume \"host\" uses restricted volume type \"hostPath\"), runAsNonRoot != true (pod or containers \"content-container\", \"log-collector\", \"scanner\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"content-container\", \"log-collector\", \"scanner\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")","stacktrace":"github.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan.(*nodeScanTypeHandler).createScanWorkload\n\tgithub.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan/scantype.go:151\ngithub.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan.(*ReconcileComplianceScan).phaseLaunchingHandler\n\tgithub.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan/compliancescan_controller.go:358\ngithub.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan.(*ReconcileComplianceScan).Reconcile\n\tgithub.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan/compliancescan_controller.go:195\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:121\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:320\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:234"} {"level":"error","ts":"2023-02-09T08:19:58.460Z","logger":"scanctrl","msg":"Retriable error","Request.Namespace":"openshift-compliance","Request.Name":"master-scan7f9c25r5fx","error":"pods \"openscap-pod-5f3357193d5e6288dc224f019533d153fa13afeb\" is forbidden: violates PodSecurity \"restricted:latest\": privileged (container \"scanner\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container \"scanner\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"scanner\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volume \"host\" uses restricted volume type \"hostPath\"), runAsNonRoot != true (pod or containers \"content-container\", \"log-collector\", \"scanner\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"content-container\", \"log-collector\", \"scanner\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")","stacktrace":"github.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan.(*ReconcileComplianceScan).phaseLaunchingHandler\n\tgithub.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan/compliancescan_controller.go:373\ngithub.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan.(*ReconcileComplianceScan).Reconcile\n\tgithub.com/ComplianceAsCode/compliance-operator/pkg/controller/compliancescan/compliancescan_controller.go:195\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:121\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:320\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:234"} {"level":"error","ts":"2023-02-09T08:19:58.460Z","msg":"Reconciler error","controller":"compliancescan-controller","object":\{"name":"master-scan7f9c25r5fx","namespace":"openshift-compliance"}

,"namespace":"openshift-compliance","name":"master-scan7f9c25r5fx","reconcileID":"480fae26-eaac-4a35-8824-d74858ef560b","error":"pods \"openscap-pod-5f3357193d5e6288dc224f019533d153fa13afeb\" is forbidden: violates PodSecurity \"restricted:latest\": privileged (container \"scanner\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container \"scanner\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"scanner\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volume \"host\" uses restricted volume type \"hostPath\"), runAsNonRoot != true (pod or containers \"content-container\", \"log-collector\", \"scanner\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"content-container\", \"log-collector\", \"scanner\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:273\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tsigs.k8s.io/controller-runtime@v0.12.3/pkg/internal/controller/controller.go:234"}

Expected results:

The scan for the compliancesuite will start and reach to “Done” phase quickly(usually in 5 minutes)

Additional info:
The issue was for 4.13.0 only

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates