manifests/*: comply to restricted pod security level

[s-urbaniak]

Starting from OpenShift 4.11 pod security admission is being activated. In OpenShift the default pod security admission level is going to be restricted. This PR fixes workloads from this repository. Concretely, the following violations have been detected:

{
  "objectRef": "openshift-operator-lifecycle-manager/deployments/olm-operator",
  "pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"olm-operator\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities
(container \"olm-operator\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"olm-operator\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"olm-operator\" must set se
curityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
}

{
  "objectRef": "openshift-operator-lifecycle-manager/deployments/package-server-manager",
  "pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"package-server-manager\" must set securityContext.allowPrivilegeEscalation=false), unrestricted cap
abilities (container \"package-server-manager\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"package-server-manager\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containe
r \"package-server-manager\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
}

{
  "objectRef": "openshift-operator-lifecycle-manager/deployments/catalog-operator",
  "pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"catalog-operator\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilit
ies (container \"catalog-operator\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"catalog-operator\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"catalog-operat
or\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
}

{
  "objectRef": "openshift-operator-lifecycle-manager/cronjobs/collect-profiles",
  "pod-security.kubernetes.io/audit-violations": "would violate PodSecurity \"restricted:latest\": allowPrivilegeEscalation != false (container \"collect-profiles\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilit
ies (container \"collect-profiles\" must set securityContext.capabilities.drop=[\"ALL\"]), runAsNonRoot != true (pod or container \"collect-profiles\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container \"collect-profil
es\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")"
}

/cc @stlaz

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: s-urbaniak
To complete the pull request process, please assign anik120 after the PR has been reviewed.
You can assign the PR to them by writing /assign @anik120 in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[timflannagan]

@s-urbaniak Any idea on where I'd be able to get the list of violations for the CVO manifests in this repository. Is there any tooling that helps produce these violations? It would be nice to get some more context before approving this.

[s-urbaniak]

@timflannagan the list of violations is not easy to retrieve, however not impossible: You'll need to install an openshift cluster, preserve the bootstrap node, ssh into it and then retrieve the kube-apiserver bootstrap audit log to introspect the failures posted in this PR. The general motivation for this PR can be read up in https://github.com/openshift/enhancements/blob/master/enhancements/authentication/pod-security-admission.md and in @stlaz's email posted to aos-devel. Also feel free to reach out in #forum-apiserver on Slack for OOB questions and clarifications.

[s-urbaniak]

/test verify

[s-urbaniak]

@timflannagan for any additional workloads we wrote psachecker, available at https://github.com/stlaz/psachecker which can be used against a running cluster or local files to introspect pod security violations.

[s-urbaniak]

@timflannagan to complete the picture, for a running cluster you can today must-gather audit logs and introspect potential violations by introspecting the kube-apiserver's audit logs. Just check for annotations with the pod-security.kubernetes.io/audit-violations key.

[openshift-ci]

@s-urbaniak: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	6c485e6	link	true	/test verify
ci/prow/e2e-upgrade	6c485e6	link	true	/test e2e-upgrade
ci/prow/e2e-gcp	6c485e6	link	true	/test e2e-gcp

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[timflannagan]

Error creating: pods "collect-profiles-27524790-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set, spec.containers[0].securityContext.runAsUser: Invalid value: 65534: must be in the ranges: [1000380000, 1000389999], pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/collect-profiles]: Forbidden: seccomp may not be set, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount] for Job.batch/v1/collect-profiles-27524790 -n openshift-operator-lifecycle-manager happened 3 times

That e2e-gcp failure looks legitimate?

[timflannagan]

Making direct changes to the staging/* directories without attaching metadata as a commit trailer will result in the verify prowjob to unfortunately fail.

We'd either need to introduce this changes to OLM, and cherrypick the upstream commit here to make the verify check happy, or inject these securityContext blocks as downstream-only changes. I think my preference would be to push through the latter right now.

[openshift-ci]

@s-urbaniak: PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[s-urbaniak]

/close

[openshift-ci]

@s-urbaniak: Closed this PR.

Details

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.