PodSecurity warnings from fleetmanager when deploying to OpenShift 4.11.18

Question

PodSecurity warnings from fleetmanager when deploying to OpenShift 4.11.18

k-wall opened this issue 2 years ago · 6 comments

I'm noticing when deploying to ROSA (OpenShift 4.11.18), I'm seeing a deprecation warning.

serviceaccount/kas-fleet-manager configured
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (containers "migration", "service", "envoy-sidecar" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "migration", "service", "envoy-sidecar" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "migration", "service", "envoy-sidecar" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "migration", "service", "envoy-sidecar" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
deployment.apps/kas-fleet-manager created

Answer 1 · 2022-12-19T10:10:50.000Z

I will take a look

Answer 2 · 2022-12-19T16:45:49.000Z

I am currently investigating this warnings and tracking the progress in https://issues.redhat.com/browse/MGDSTRM-10307

Answer 3 · 2022-12-20T15:35:34.000Z

I've been investigating the issue and I opened a PR that mitigates most of the warnings reported in here: bf2fc6cc711aee1a0c2a/kas-fleet-manager#1465

However. It is not possible to fully remove all the warnings due to we currently need to support OCP versions older than OCP 4.11. Please see the linked PR on details about the problematic and why we can't fully remove all the warnings.

cc @k-wall I also recommend the data plane team to review the deployments in the data plane side as the same warnings would be shown for them too if the deployments don't specify any security context, or even worse, if they specify a security context that is not compatible with the updated policies in OCP >= 4.11 for new clusters

Answer 4 · 2023-02-21T09:30:37.000Z

thanks @miguelsorianod

re. I also recommend the data plane team to review the deployments in the data plane side

@MikeEdgar is this something already being address from a fleetshard pov?

Answer 5 · 2023-02-21T10:40:49.000Z

I finished and merged the changes for KFM in the PR mentioned in the previous comment.
At the end we have been able to remove all warnings on KFM/control plane side by requiring OCP 4.11 as the minimum required version for KFM/control plane.

Answer 6 · 2023-02-21T19:52:20.000Z

@k-wall from what has been observed there are no changes necessary for fleetshard. Pods for the operator and operands are currently created with the securityContext entries.