Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-8740

Add security context to the deployments

XMLWordPrintable

    • 1
    • False
    • None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • RHOAM Sprint 48

      Currently there is an audit violation annotation complaining that the replication controller objects do not comply with the pod security restricted policy.

      Not a big issue because it is just the replication controller and not the pod. The pod has default security context configuration  injected by openshift.

      More info: https://issues.redhat.com/browse/THREESCALE-8481

      Adding security context to the deployment (or deploymentconfigs) would remove the audit violation annotation for the replication controller objects.

       

      Example for zync-que-1 replicationcontroller

       oc adm node-logs  ip-10-96-2-102.ec2.internal --path=kube-apiserver/audit-2022-09-20T10-20-42.318.log | grep zync-que-1 | grep audit-violations | jq '.'

{
  "kind": "Event",
  "apiVersion": "audit.k8s.io/v1",
  "level": "Metadata",
  "auditID": "8f4fdd27-24ae-4030-b71e-ead1dffc494e",
  "stage": "ResponseComplete",
  "requestURI": "/api/v1/namespaces/peppa/replicationcontrollers/zync-que-1",
  "verb": "update",
  "user": {
    "username": "system:serviceaccount:openshift-infra:deployer-controller",
    "uid": "35e8921c-7399-4872-919b-fc0830d2a1b3",
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:openshift-infra",
      "system:authenticated"
    ]
  },
  "sourceIPs": [
    "10.128.1.217"
  ],
  "userAgent": "openshift-controller-manager/v0.0.0 (linux/amd64) kubernetes/$Format/system:serviceaccount:openshift-infra:deployer-controller",
  "objectRef": {
    "resource": "replicationcontrollers",
    "namespace": "peppa",
    "name": "zync-que-1",
    "uid": "635c91a2-78fe-451b-9d2d-5221673e2c76",
    "apiVersion": "v1",
    "resourceVersion": "5119766"
  },
  "responseStatus": {
    "metadata": {},
    "code": 200
  },
  "requestReceivedTimestamp": "2022-09-20T10:19:58.953969Z",
  "stageTimestamp": "2022-09-20T10:19:58.961164Z",
  "annotations": {
    "authorization.k8s.io/decision": "allow",
    "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:openshift:controller:deployer-controller\" of ClusterRole \"system:openshift:controller:deployer-controller\" to ServiceAccount \"deployer-controller/openshift-infra\"",
    "pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:v1.24\": allowPrivilegeEscalation != false (container \"que\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"que\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"que\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"que\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
  }
}

      Note: that the audit violation annotations show up in the Kubernetes API server audit logs, not in the Openshift API server audit logs

      Related info:

        1. audit-logs-scanner.sh
          0.9 kB

              Unassigned Unassigned
              eguzki Eguzki Astiz Lezaun
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: