Details
-
Enhancement
-
Resolution: Obsolete
-
Major
-
None
-
2.12.0 CR2
-
1
-
False
-
None
-
False
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
Not Started
-
RHOAM Sprint 48
Description
Currently there is an audit violation annotation complaining that the replication controller objects do not comply with the pod security restricted policy.
Not a big issue because it is just the replication controller and not the pod. The pod has default security context configuration injected by openshift.
More info: https://issues.redhat.com/browse/THREESCALE-8481
Adding security context to the deployment (or deploymentconfigs) would remove the audit violation annotation for the replication controller objects.
Example for zync-que-1 replicationcontroller
oc adm node-logs ip-10-96-2-102.ec2.internal --path=kube-apiserver/audit-2022-09-20T10-20-42.318.log | grep zync-que-1 | grep audit-violations | jq '.' { "kind": "Event", "apiVersion": "audit.k8s.io/v1", "level": "Metadata", "auditID": "8f4fdd27-24ae-4030-b71e-ead1dffc494e", "stage": "ResponseComplete", "requestURI": "/api/v1/namespaces/peppa/replicationcontrollers/zync-que-1", "verb": "update", "user": { "username": "system:serviceaccount:openshift-infra:deployer-controller", "uid": "35e8921c-7399-4872-919b-fc0830d2a1b3", "groups": [ "system:serviceaccounts", "system:serviceaccounts:openshift-infra", "system:authenticated" ] }, "sourceIPs": [ "10.128.1.217" ], "userAgent": "openshift-controller-manager/v0.0.0 (linux/amd64) kubernetes/$Format/system:serviceaccount:openshift-infra:deployer-controller", "objectRef": { "resource": "replicationcontrollers", "namespace": "peppa", "name": "zync-que-1", "uid": "635c91a2-78fe-451b-9d2d-5221673e2c76", "apiVersion": "v1", "resourceVersion": "5119766" }, "responseStatus": { "metadata": {}, "code": 200 }, "requestReceivedTimestamp": "2022-09-20T10:19:58.953969Z", "stageTimestamp": "2022-09-20T10:19:58.961164Z", "annotations": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:openshift:controller:deployer-controller\" of ClusterRole \"system:openshift:controller:deployer-controller\" to ServiceAccount \"deployer-controller/openshift-infra\"", "pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:v1.24\": allowPrivilegeEscalation != false (container \"que\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"que\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"que\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"que\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")" } }
Note: that the audit violation annotations show up in the Kubernetes API server audit logs, not in the Openshift API server audit logs
Related info:
- Pod security admission https://kubernetes.io/docs/concepts/security/pod-security-admission/
- Pod security standards https://kubernetes.io/docs/concepts/security/pod-security-standards/
- Viewing audit logs https://docs.openshift.com/container-platform/4.11/security/audit-log-view.html#nodes-nodes-audit-log-basic-viewing_audit-log-view
Attachments
Issue Links
- is related to
-
THREESCALE-8481 Investigate if and how we are affected by change in pod security admission using the “restricted” profile by default
-
- Closed
-