Details
-
Bug
-
Resolution: Done-Errata
-
Major
-
4.13
-
None
-
Moderate
-
No
-
Storage Sprint 232, Storage Sprint 233
-
2
-
Rejected
-
False
-
-
N/A
-
Release Note Not Required
Description
Description of problem:
[CSI Inline Volume admission plugin] when using deployment/statefulset/daemonset workload with inline volume doesn't record audit logs/warning correctly
Version-Release number of selected component (if applicable):
4.13.0-0.ci.test-2023-03-02-013814-ci-ln-yd4m4st-latest (nightly build also could be reproduced)
How reproducible:
Always
Steps to Reproduce:
1. Enable feature gate to auto install the csi.sharedresource csi driver 2. Add security.openshift.io/csi-ephemeral-volume-profile: privileged to CSIDriver 'csi.sharedresource.openshift.io' # scale down the cvo,cso and shared-resource-csi-driver-operator $ oc scale --replicas=0 deploy/cluster-version-operator -n openshift-cluster-version deployment.apps/cluster-version-operator scaled $oc scale --replicas=0 deploy/cluster-storage-operator -n openshift-cluster-storage-operator deployment.apps/cluster-storage-operator scaled $ oc scale --replicas=0 deploy/shared-resource-csi-driver-operator -n openshift-cluster-csi-drivers deployment.apps/shared-resource-csi-driver-operator scaled # Add security.openshift.io/csi-ephemeral-volume-profile: privileged to CSIDriver $ oc get csidriver/csi.sharedresource.openshift.io -o yaml apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: annotations: csi.openshift.io/managed: "true" operator.openshift.io/spec-hash: 4fc61ff54015a7e91e07b93ac8e64f46983a59b4b296344948f72187e3318b33 creationTimestamp: "2022-10-26T08:10:23Z" labels: security.openshift.io/csi-ephemeral-volume-profile: privileged 3. Create different workloads with inline volume in a restricted namespace $ oc apply -f examples/simple role.rbac.authorization.k8s.io/shared-resource-my-share-pod created rolebinding.rbac.authorization.k8s.io/shared-resource-my-share-pod created configmap/my-config created sharedconfigmap.sharedresource.openshift.io/my-share-pod created Error from server (Forbidden): error when creating "examples/simple/03-pod.yaml": pods "my-csi-app-pod" is forbidden: admission denied: pod my-csi-app-pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged Error from server (Forbidden): error when creating "examples/simple/04-deployment.yaml": deployments.apps "mydeployment" is forbidden: admission denied: pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged Error from server (Forbidden): error when creating "examples/simple/05-statefulset.yaml": statefulsets.apps "my-sts" is forbidden: admission denied: pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security enforce level that is lower than privileged 4. Add enforce: privileged label to the test ns and create different workloads with inline volume again $ oc label ns/my-csi-app-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=restricted pod-security.kubernetes.io/warn=restricted --overwrite namespace/my-csi-app-namespace labeled $ oc apply -f examples/simple role.rbac.authorization.k8s.io/shared-resource-my-share-pod created rolebinding.rbac.authorization.k8s.io/shared-resource-my-share-pod created configmap/my-config created sharedconfigmap.sharedresource.openshift.io/my-share-pod created Warning: pod my-csi-app-pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged pod/my-csi-app-pod created Warning: pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security warn level that is lower than privileged deployment.apps/mydeployment created daemonset.apps/my-ds created statefulset.apps/my-sts created $ oc get po NAME READY STATUS RESTARTS AGE my-csi-app-pod 1/1 Running 0 34s my-ds-cw4k7 1/1 Running 0 32s my-ds-sv9vp 1/1 Running 0 32s my-ds-v7f9m 1/1 Running 0 32s my-sts-0 1/1 Running 0 31s mydeployment-664cd95cb4-4s2cd 1/1 Running 0 33s 5. Check the api-server audit logs $ oc adm node-logs ip-10-0-211-240.us-east-2.compute.internal --path=kube-apiserver/audit.log | grep 'uses an inline volume provided by'| tail -1 | jq . | grep 'CSIInlineVolumeSecurity' "storage.openshift.io/CSIInlineVolumeSecurity": "pod uses an inline volume provided by CSIDriver csi.sharedresource.openshift.io and namespace my-csi-app-namespace has a pod security audit level that is lower than privileged"
Actual results:
In step 3 and step 4: deployment workloads the warning info pod name is empty statefulset/daemonset workloads the warning info doesn't display In step 5: audit logs the pod name is empty
Expected results:
In step 3 and step 4: deployment workloads the warning info pod name should be exist statefulset/daemonset workloads the warning info should display In step 5: audit logs the pod name shouldn't be empty it should record the workload type and pod specific names
Additional info:
Testdata: https://github.com/Phaow/csi-driver-shared-resource/tree/test-inlinevolume/examples/simple
Attachments
Issue Links
- blocks
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
-
RHEA-2023:5006
rpm