Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
4.11.z
-
Important
-
No
-
Proposed
-
False
-
Description
Description of problem:
OpenShift Container Platform 4.11.29 running with OpenShift Pipelines 1.8.2 which appears to have all Pod Security Admission settings in place is reporting below events, even though the respective containers have securityContext.seccompProfile.type set.
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "c9ee32d3-0701-4948-b6ac-eeb1379b03f8",
"stage": "ResponseComplete",
"requestURI": "/apis/apps/v1/namespaces/openshift-pipelines/deployments/tekton-triggers-webhook?fieldManager=manifestival",
"verb": "update",
"user": {
"username": "system:serviceaccount:project-openshift-pipelines:openshift-pipelines-operator",
"uid": "c3ed0c79-ebdc-4604-b0c8-06e543dcca4a",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:project-openshift-pipelines",
"system:authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"openshift-pipelines-operator-699b947689-9947q"
],
"authentication.kubernetes.io/pod-uid": [
"bbb611a1-203c-45f5-a771-47cf4982f233"
]
}
},
"sourceIPs": [
"10.0.128.5"
],
"userAgent": "openshift-pipelines-operator/v0.0.0 (linux/amd64) kubernetes/$Format",
"objectRef": {
"resource": "deployments",
"namespace": "openshift-pipelines",
"name": "tekton-triggers-webhook",
"uid": "b3af0963-52ff-4c6e-a9c1-b4ea2e9e9794",
"apiGroup": "apps",
"apiVersion": "v1",
"resourceVersion": "6928030"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestReceivedTimestamp": "2023-03-08T11:04:33.842195Z",
"stageTimestamp": "2023-03-08T11:04:33.851537Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"openshift-pipelines-operator-rh.v1.8.2-66b5d494d4\" of ClusterRole \"openshift-pipelines-operator-rh.v1.8.2-66b5d494d4\" to ServiceAccount \"openshift-pipelines-operator/project-openshift-pipelines\"",
"pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:latest\": seccompProfile (pod or container \"webhook\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
}
}
In this scenario, it's important to understand that the OpenShift Pipelines Operator is not installed in openshift-operators but instead in a custom project called project-openshift-pipelines.
$ oc get ns project-openshift-pipelines -o yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/description: ""
openshift.io/display-name: ""
openshift.io/requester: system:admin
openshift.io/sa.scc.mcs: s0:c27,c9
openshift.io/sa.scc.supplemental-groups: 1000720000/10000
openshift.io/sa.scc.uid-range: 1000720000/10000
operator.tekton.dev/prune.hash: e12cf88878007ab90299fa28c92d42daf72a1dda6ff604ea40c1f1da0f1f5e1d
creationTimestamp: "2023-03-07T13:33:58Z"
labels:
kubernetes.io/metadata.name: project-openshift-pipelines
openshift-pipelines.tekton.dev/namespace-reconcile-version: 1.8.2
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.24
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.24
name: project-openshift-pipelines
resourceVersion: "7013528"
uid: 81b3cae3-2248-4c68-81c6-fc0736bf122c
spec:
finalizers:
- kubernetes
status:
phase: Active
Yet I'm failing to see the problem as OpenShift Pipelines is all running with restricted-v2 and again has all required SecurityContext settings applied.
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4.11.29
How reproducible:
Always
Steps to Reproduce:
1. Install OpenShift Pipelines into project-openshift-pipelines, using CLI instructions from https://docs.openshift.com/container-platform/4.11/cicd/pipelines/installing-pipelines.html#op-installing-pipelines-operator-using-the-cli_installing-pipelines 2. Check kube-apiserver Audit logs for pod-security.kubernetes.io/audit-violations Events
Actual results:
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "c9ee32d3-0701-4948-b6ac-eeb1379b03f8",
"stage": "ResponseComplete",
"requestURI": "/apis/apps/v1/namespaces/openshift-pipelines/deployments/tekton-triggers-webhook?fieldManager=manifestival",
"verb": "update",
"user": {
"username": "system:serviceaccount:project-openshift-pipelines:openshift-pipelines-operator",
"uid": "c3ed0c79-ebdc-4604-b0c8-06e543dcca4a",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:project-openshift-pipelines",
"system:authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"openshift-pipelines-operator-699b947689-9947q"
],
"authentication.kubernetes.io/pod-uid": [
"bbb611a1-203c-45f5-a771-47cf4982f233"
]
}
},
"sourceIPs": [
"10.0.128.5"
],
"userAgent": "openshift-pipelines-operator/v0.0.0 (linux/amd64) kubernetes/$Format",
"objectRef": {
"resource": "deployments",
"namespace": "openshift-pipelines",
"name": "tekton-triggers-webhook",
"uid": "b3af0963-52ff-4c6e-a9c1-b4ea2e9e9794",
"apiGroup": "apps",
"apiVersion": "v1",
"resourceVersion": "6928030"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestReceivedTimestamp": "2023-03-08T11:04:33.842195Z",
"stageTimestamp": "2023-03-08T11:04:33.851537Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"openshift-pipelines-operator-rh.v1.8.2-66b5d494d4\" of ClusterRole \"openshift-pipelines-operator-rh.v1.8.2-66b5d494d4\" to ServiceAccount \"openshift-pipelines-operator/project-openshift-pipelines\"",
"pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:latest\": seccompProfile (pod or container \"webhook\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
}
}
{
"kind": "Event",
"apiVersion": "audit.k8s.io/v1",
"level": "Metadata",
"auditID": "db52894b-265d-4127-9723-4c134f50b712",
"stage": "ResponseComplete",
"requestURI": "/apis/apps/v1/namespaces/openshift-pipelines/deployments/tekton-triggers-controller?fieldManager=manifestival",
"verb": "update",
"user": {
"username": "system:serviceaccount:project-openshift-pipelines:openshift-pipelines-operator",
"uid": "c3ed0c79-ebdc-4604-b0c8-06e543dcca4a",
"groups": [
"system:serviceaccounts",
"system:serviceaccounts:project-openshift-pipelines",
"system:authenticated"
],
"extra": {
"authentication.kubernetes.io/pod-name": [
"openshift-pipelines-operator-699b947689-9947q"
],
"authentication.kubernetes.io/pod-uid": [
"bbb611a1-203c-45f5-a771-47cf4982f233"
]
}
},
"sourceIPs": [
"10.0.128.5"
],
"userAgent": "openshift-pipelines-operator/v0.0.0 (linux/amd64) kubernetes/$Format",
"objectRef": {
"resource": "deployments",
"namespace": "openshift-pipelines",
"name": "tekton-triggers-controller",
"uid": "ae50c256-bf05-4da2-8514-3d4c6330b55e",
"apiGroup": "apps",
"apiVersion": "v1",
"resourceVersion": "6928019"
},
"responseStatus": {
"metadata": {},
"code": 200
},
"requestReceivedTimestamp": "2023-03-08T11:04:33.761807Z",
"stageTimestamp": "2023-03-08T11:04:33.769917Z",
"annotations": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"openshift-pipelines-operator-rh.v1.8.2-66b5d494d4\" of ClusterRole \"openshift-pipelines-operator-rh.v1.8.2-66b5d494d4\" to ServiceAccount \"openshift-pipelines-operator/project-openshift-pipelines\"",
"pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:latest\": seccompProfile (pod or container \"tekton-triggers-controller\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
}
}
Expected results:
No PodSecurityViolation being reported as all appears to be compliant
Additional info:
Attachments
Issue Links
- duplicates
-
-
- Closed
-