Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

operator: Adapt to k8s-1.25 security restrictions #1401

Merged
merged 1 commit into from
Aug 5, 2022
Merged

operator: Adapt to k8s-1.25 security restrictions #1401

merged 1 commit into from
Aug 5, 2022

Conversation

qinqon
Copy link
Collaborator

@qinqon qinqon commented Aug 2, 2022

What this PR does / why we need it:
When deployed at some clusters based on k8s 1.25 the operator get the following error

Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "cluster-network-addons-operator", "kube-rbac-proxy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "cluster-network-addons-operator", "kube-rbac-proxy" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or containers "cluster-network-addons-operator", "kube-rbac-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

To fix that the pod and container security context for the operator is fixed following instructions at redhat-openshift-ecosystem/community-operators-prod#1417.

Release note:

Fix operator pod and container security context for k8s-1.25

@qinqon
operator: Adapt to k8s-1.25 security restrictions
39fd02c 
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
@kubevirt-bot kubevirt-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Aug 2, 2022
@sonarcloud
Copy link

sonarcloud bot commented Aug 2, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

maiqueb
maiqueb reviewed Aug 2, 2022
View reviewed changes
Copy link
Contributor

@maiqueb maiqueb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

v2 SCC policies requires you to:

  • either leave SeccompProfile empty or set it to runtime/default
  • always drop ALL. V1 only dropped KILL, MKNOD, SETUID, SETGID capabilities.
  • not use allowPrivilegeEscalation=true

Couldn't you have omitted the SeccompProfile on the pod section ?...

According to the discussion, it should have been possible.

@qinqon
Copy link
Collaborator Author

qinqon commented Aug 4, 2022

v2 SCC policies requires you to:

  • either leave SeccompProfile empty or set it to runtime/default
  • always drop ALL. V1 only dropped KILL, MKNOD, SETUID, SETGID capabilities.
  • not use allowPrivilegeEscalation=true

Couldn't you have omitted the SeccompProfile on the pod section ?...

According to the discussion, it should have been possible.

Not seting it throws a warning with

Warning: would violate PodSecurity "restricted:latest": seccompProfile (pod or containers "cluster-network-addons-operator", "kube-rbac-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

@qinqon qinqon requested a review from maiqueb August 4, 2022 12:47
@maiqueb
Copy link
Contributor

maiqueb commented Aug 4, 2022

v2 SCC policies requires you to:

  • either leave SeccompProfile empty or set it to runtime/default
  • always drop ALL. V1 only dropped KILL, MKNOD, SETUID, SETGID capabilities.
  • not use allowPrivilegeEscalation=true

Couldn't you have omitted the SeccompProfile on the pod section ?...
According to the discussion, it should have been possible.

Not seting it throws a warning with

Warning: would violate PodSecurity "restricted:latest": seccompProfile (pod or containers "cluster-network-addons-operator", "kube-rbac-proxy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Hm, how about that ...

Would we want to raise it in the linked discussion ?...

I'm OK w/ approving this then.

maiqueb
maiqueb approved these changes Aug 4, 2022
View reviewed changes
Copy link
Contributor

@maiqueb maiqueb left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please consider if we want to provide feedback to in the discussion about this, since something seems to be amiss.

@kubevirt-bot kubevirt-bot added the lgtm Indicates that a PR is ready to be merged. label Aug 4, 2022
@qinqon
Copy link
Collaborator Author

qinqon commented Aug 5, 2022

Please consider if we want to provide feedback to in the discussion about this, since something seems to be amiss.

Let's get the warning gone first, we can improve the situation later on.

@phoracek
Copy link
Member

phoracek commented Aug 5, 2022

/approve

@kubevirt-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: phoracek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 5, 2022
@kubevirt-bot kubevirt-bot merged commit c5971b0 into kubevirt:main Aug 5, 2022
@phoracek
Copy link
Member

phoracek commented Aug 8, 2022

/cherry-pick release-0.76

@kubevirt-bot kubevirt-bot mentioned this pull request Aug 8, 2022
Merged
@kubevirt-bot
Copy link
Collaborator

@phoracek: new pull request created: #1404

In response to this:

/cherry-pick release-0.76

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@qinqon
Copy link
Collaborator Author

qinqon commented Sep 12, 2022

/cherry-pick release-0.65

@kubevirt-bot
Copy link
Collaborator

@qinqon: #1401 failed to apply on top of branch "release-0.65":

Applying: operator: Adapt to k8s-1.25 security restrictions
Using index info to reconstruct a base tree...
M	pkg/components/components.go
Falling back to patching base and 3-way merge...
Auto-merging pkg/components/components.go
CONFLICT (content): Merge conflict in pkg/components/components.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 operator: Adapt to k8s-1.25 security restrictions
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-0.65

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This was referenced Sep 12, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maiqueb maiqueb maiqueb approved these changes

@alonSadan alonSadan Awaiting requested review from alonSadan

@phoracek phoracek Awaiting requested review from phoracek

Assignees

@maiqueb maiqueb

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@qinqon @maiqueb @phoracek @kubevirt-bot