[RELEASE-1.7][SRVKS-985] Add revision security defaults

[skonto]

• Adapted/backported from Add secure-pod-defaults flag to default Pods to 'restricted' profile by default knative/serving#13398
  We will enable the feature by default at the S-O side on OCP 4.11+ as we did with deprecated apis.
  The feature flag is: secure-pod-defaults.
• Tested on 4.13 for audit warnings. To test follow the process here (you need the latest oc version to avoid failures):

oc adm must-gather -- /usr/bin/gather_audit_logs
cd must-gather.local....
gunzip -r *
find ./ -type f -exec grep -l "violation" {} \; | xargs cat | grep violation

• Introduces "serving.knative.openshift.io/skipSeccompProfile" as a revision annotation that allows to skip setting seccomProfile for a service so it can run with the default image user. Since we support versions < 4.11 SeccompProfile is only set by default in versions > 4.10.

[skonto]

/hold

[skonto]

Tests passed. Must gather failed:

  * could not run steps: step e2e-aws-ocp-411 failed: "e2e-aws-ocp-411" post steps failed: "e2e-aws-ocp-411" pod "e2e-aws-ocp-411-gather-audit-logs" failed: the pod ci-op-ctmrhy2b/e2e-aws-ocp-411-gather-audit-logs failed after 5s (failed containers: place-entrypoint): ContainerFailed one or more containers exited
  * ```

[matzew]

isn't this something we can do upstream?

[skonto]

This is done upstream. There is a link in the description. The PR here is a backport of the upstream work.

[matzew]

We need it here, since serving is creating/owing those, and not the serverless operator?

[skonto]

Yes this is for knative services. Eventing might need this for some user workloads too.

[matzew]

In serverless operator will the feature be enabled, via code, when a certain platform match was detected, @skonto ?

[skonto]

In serverless operator will the feature be enabled, via code, when a certain platform match was detected, @skonto ?

Correct here is the PR at the S-O that I am using for testing:openshift-knative/serverless-operator#1862.

[skonto]

/test 49-e2e-aws-ocp-49

[matzew]

is that our env-var? If so, I'd prefix it slightly different, to not confuse w/ actual OCP bits.

[skonto]

This is internal not meant to be exposed.

[matzew]

why adding the func on this file?

the pkg/version has already the normalizeVersion func

[skonto]

Does not do what we want so we adapted it, we also have the same at the S-O side.

[matzew]

we could (for us) just hard-code here against 1.24, instead of passing in a version?

[skonto]

We could but it is not much different.

[matzew]

@skonto in 4.11 we only get warnings if the SecurityContext values are missing, right?

[skonto]

Yes if they are missing you get warnings in audit logs. We also got warnings in the controller logs since we do k8s api calls to create deployments.

[skonto]

/test 48-e2e-aws-ocp-48
/test 412-e2e-aws-ocp-412

[skonto]

/assign @ReToCode

/hold not sure if we are going to merge it, check discussion on the related jira.

[skonto]

/assign @mgencur

[ReToCode]

👍

[ReToCode]

We merge that change, even if we do not merge the whole thing.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ReToCode, skonto

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [skonto]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ReToCode]

Closing in favour of #194, but we are keeping the changes around in case we need it later.