Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security context of hostpath-provisioner containers needs to be explicitly set #731

Open
anjannath opened this issue May 26, 2023 · 4 comments
Open

security context of hostpath-provisioner containers needs to be explicitly set #731

anjannath opened this issue May 26, 2023 · 4 comments
Assignees
@praveenkumar

Comments

@anjannath
Copy link
Member

In the CI there when creating the hostpath-provisioner daemonset, it gives the following warnings:

+ ./openshift-clients/linux/oc apply -k kubevirt-hostpath-provisioner-csi/csi-driver -n hostpath-provisioner
serviceaccount/csi-hostpath-provisioner-sa created
rolebinding.rbac.authorization.k8s.io/csi-hostpathplugin-health-monitor-controller-role created
rolebinding.rbac.authorization.k8s.io/csi-hostpathplugin-provisioner-role created
clusterrolebinding.rbac.authorization.k8s.io/crc-csi-hostpathplugin-health-monitor-controller-cluster-role created
clusterrolebinding.rbac.authorization.k8s.io/crc-csi-hostpathplugin-provisioner-cluster-role created
Warning: would violate PodSecurity "restricted:latest": privileged (containers "hostpath-provisioner", "node-driver-registrar", "csi-provisioner" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers "hostpath-provisioner", "node-driver-registrar", "liveness-probe", "csi-provisioner" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "hostpath-provisioner", "node-driver-registrar", "liveness-probe", "csi-provisioner" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volumes "socket-dir", "mountpoint-dir", "registration-dir", "plugins-dir", "csi-data-dir" use restricted volume type "hostPath"), runAsNonRoot != true (pod or containers "hostpath-provisioner", "node-driver-registrar", "liveness-probe", "csi-provisioner" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "hostpath-provisioner", "node-driver-registrar", "liveness-probe", "csi-provisioner" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
daemonset.apps/csi-hostpathplugin created
@praveenkumar
Copy link
Member

Till 4.13 we are OK with this warning but iirc 4.14 it will be error instead of warning so we should resolve it sooner than later.

@cfergeau
Copy link
Contributor

Imo we should try to use the same CSI driver in both OpenShift and MicroShift bundles.

@praveenkumar
Copy link
Member

praveenkumar commented May 26, 2023
edited
Loading

Imo we should try to use the same CSI driver in both OpenShift and MicroShift bundles.

It is good a suggestion but we have to check the LVM requrirement which microshift have because of that CSI driver.

@cfergeau
Copy link
Contributor

cfergeau commented May 26, 2023
edited
Loading

We always have the option to create a PV/... which would be used only by the CSI driver, and keep the rest of the openshift bundle the same as it currently is. I agree some exploratory work is needed before we know what can be done.

@anjannath anjannath self-assigned this May 30, 2023
@praveenkumar praveenkumar moved this to Scheduled in Project planning: crc Jun 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@praveenkumar praveenkumar

Labels
None yet
Projects
Project planning: crc
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@praveenkumar @cfergeau @anjannath