Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-8740

Add security context to the deployments

XMLWordPrintable

    • 1
    • False
    • None
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • RHOAM Sprint 48

      Currently there is an audit violation annotation complaining that the replication controller objects do not comply with the pod security restricted policy.

      Not a big issue because it is just the replication controller and not the pod. The pod has default security context configuration  injected by openshift.

      More info: https://issues.redhat.com/browse/THREESCALE-8481

      Adding security context to the deployment (or deploymentconfigs) would remove the audit violation annotation for the replication controller objects.

       

      Example for zync-que-1 replicationcontroller

       oc adm node-logs  ip-10-96-2-102.ec2.internal --path=kube-apiserver/audit-2022-09-20T10-20-42.318.log | grep zync-que-1 | grep audit-violations | jq '.'
      
      {
        "kind": "Event",
        "apiVersion": "audit.k8s.io/v1",
        "level": "Metadata",
        "auditID": "8f4fdd27-24ae-4030-b71e-ead1dffc494e",
        "stage": "ResponseComplete",
        "requestURI": "/api/v1/namespaces/peppa/replicationcontrollers/zync-que-1",
        "verb": "update",
        "user": {
          "username": "system:serviceaccount:openshift-infra:deployer-controller",
          "uid": "35e8921c-7399-4872-919b-fc0830d2a1b3",
          "groups": [
            "system:serviceaccounts",
            "system:serviceaccounts:openshift-infra",
            "system:authenticated"
          ]
        },
        "sourceIPs": [
          "10.128.1.217"
        ],
        "userAgent": "openshift-controller-manager/v0.0.0 (linux/amd64) kubernetes/$Format/system:serviceaccount:openshift-infra:deployer-controller",
        "objectRef": {
          "resource": "replicationcontrollers",
          "namespace": "peppa",
          "name": "zync-que-1",
          "uid": "635c91a2-78fe-451b-9d2d-5221673e2c76",
          "apiVersion": "v1",
          "resourceVersion": "5119766"
        },
        "responseStatus": {
          "metadata": {},
          "code": 200
        },
        "requestReceivedTimestamp": "2022-09-20T10:19:58.953969Z",
        "stageTimestamp": "2022-09-20T10:19:58.961164Z",
        "annotations": {
          "authorization.k8s.io/decision": "allow",
          "authorization.k8s.io/reason": "RBAC: allowed by ClusterRoleBinding \"system:openshift:controller:deployer-controller\" of ClusterRole \"system:openshift:controller:deployer-controller\" to ServiceAccount \"deployer-controller/openshift-infra\"",
          "pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:v1.24\": allowPrivilegeEscalation != false (container \"que\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container \"que\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"que\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"que\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
        }
      }

      Note: that the audit violation annotations show up in the Kubernetes API server audit logs, not in the Openshift API server audit logs

      Related info:

              Unassigned Unassigned
              eguzki Eguzki Astiz Lezaun
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: