Uploaded image for project: 'Knative Serving'
  1. Knative Serving
  2. SRVKS-985

Controller and autoscaler throwing warnings about pod security policy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • 1.29.0
    • 1.25.0, 1.26.0, 1.27.0, 1.28.0
    • None
    • None
    • False
    • None
    • False

      This is a follow up on https://issues.redhat.com/browse/SRVKS-934, specifically this comment:

      More information is in the JIRA above including experiments and detailed analysis.

      Creating a simple Knative Service via "kn service create hello --image quay.io/openshift-knative/helloworld-go:multiarch" in my own namespace.

      The knative service works fine and I can send an http request to it.

      The audit logs gathered via oc adm must-gather - /usr/bin/gather_audit_logs do NOT show any errors.

      However, the Knative Serving controller still throws warnings like this one:

      {"severity":"INFO","timestamp":"2022-11-29T16:23:44.782172885Z","logger":"controller","caller":"controller/controller.go:550","message":"Reconcile succeeded","knative.dev/pod":"controller-64d4bc79c7-v5z92","knative.dev/controller":"knative.dev.serving.pkg.reconciler.revision.Reconciler","knative.dev/kind":"serving.knative.dev.Revision","knative.dev/traceid":"be70fcf5-c30f-4940-bdfc-6ec145d19757","knative.dev/key":"mgencur/hello-00001","duration":"68.948043ms"}
{"severity":"WARNING","timestamp":"2022-11-29T16:23:44.799379543Z","logger":"controller","caller":"logging/warning_handler.go:32","message":"API Warning: would violate PodSecurity \"restricted:v1.24\": allowPrivilegeEscalation != false (container \"user-container\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"user-container\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"user-container\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"user-container\", \"queue-proxy\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")","knative.dev/pod":"controller-64d4bc79c7-v5z92"}

      Here's the yaml output of the ksvc, namespace, deployment and pod: https://gist.github.com/mgencur/013c85f5809c8a82412fb17e1faf46d1

      Note: The deployment doesn't have any security context set, the Pod has the right security context and other security settings so it looks alright. The only problem seems to be the warning in Knative Controller (and Autoscaler).

        1. out.yaml
          17 kB

              skontopo@redhat.com Stavros Kontopoulos
              mgencur@redhat.com Martin Gencur
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: