Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.11.z
Component/s: Compliance Operator
Labels:
- pre-merge-tested
- pre-merge-verified

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
No
Epic Link:
co-1.4.0-bugs

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
CMP Sprint 67, CMP Sprint 68, CMP Sprint 69, CMP Sprint 70, CMP Sprint 71, CMP Sprint 72, CMP Sprint 73, CMP Sprint 74, CMP Sprint 75
sprint_count:
9

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
PX Priority Data:
PX Impact Score:
PX Technical Impact:
PX Impact Range:

Release Note Status:
None
Release Note Type:
None
Release Note Text:

Hide
Previously, users would see Pod Security violation running the complinace operator. This has been fixed by dropping unnecessary permissions from the Compliance Operator deployment. No functionality should have changed as a result, but permissions and capability around the deployment pods and pods that parse the profile bundles are reduced, eliminating some of the warning.

Show
Previously, users would see Pod Security violation running the complinace operator. This has been fixed by dropping unnecessary permissions from the Compliance Operator deployment. No functionality should have changed as a result, but permissions and capability around the deployment pods and pods that parse the profile bundles are reduced, eliminating some of the warning.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

After cluster upgrade to 4.11, PodSecurity violation alerts are triggered by compliance-operator:

      1 openshift-compliance ocp4-cis-node-infra-rs deployments would violate PodSecurity "restricted:latest": seccompProfile (pod or container "result-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      1 openshift-compliance ocp4-cis-node-master-rs deployments would violate PodSecurity "restricted:latest": seccompProfile (pod or container "result-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      1 openshift-compliance ocp4-cis-node-storage-rs deployments would violate PodSecurity "restricted:latest": seccompProfile (pod or container "result-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      1 openshift-compliance ocp4-cis-node-worker-rs deployments would violate PodSecurity "restricted:latest": seccompProfile (pod or container "result-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      1 openshift-compliance vz-ocp4-cis-rs deployments would violate PodSecurity "restricted:latest": seccompProfile (pod or container "result-server" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Version-Release number of selected component (if applicable):

v0.1.61

links to

fix

RHBA-2023:7658 OpenShift Compliance Operator bug fix and enhancement update

Assignee:: Lance Bragstad

Reporter:: Raul Fernandez

Need Info From:: Lance Bragstad

Contributors:: None

QA Contact:: Xiaojie Yuan

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: 2023/03/01 11:25 AM

Updated:: 2025/09/13 6:47 AM

Resolved:: 2024/08/07 7:56 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates