Comply with OCP/OKD 4.11 and 4.12 Pod Security Standards

[tiraboschi]

Set something like:

spec:
 securityContext:
   # Do not use SeccompProfile if your project must work on
   # old k8s versions < 1.19 and Openshift < 4.11
   seccompProfile:
      type: RuntimeDefault
   runAsNonRoot: true
 containers:
   - name: my-container
     securityContext:
       allowPrivilegeEscalation: false
       capabilities:
         drop:
           - ALL

following OCP/OKD 4.12 best practices.
This change should be backported to release-1.7
to ensure a smooth upgrade process to the next version.

Signed-off-by: Simone Tiraboschi stirabos@redhat.com

Reviewer Checklist

Reviewers are supposed to review the PR for every aspect below one by one. To check an item means the PR is either "OK" or "Not Applicable" in terms of that item. All items are supposed to be checked before merging a PR.

• PR Message
• Commit Messages
• How to test
• Unit Tests
• Functional Tests
• User Documentation
• Developer Documentation
• Upgrade Scenario
• Uninstallation Scenario
• Backward Compatibility
• Troubleshooting Friendly

Release note:

Comply with OCP/OKD 4.11 and 4.12 Pod Security Standards

[coveralls]

Pull Request Test Coverage Report for Build 2710977891

• 2 of 2 (100.0%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.02%) to 84.985%

---

Totals
Change from base Build 2686146258:	0.02%
Covered Lines:	4460
Relevant Lines:	5248

---

💛 - Coveralls

[hco-bot]

okd-hco-e2e-image-index-gcp lane succeeded.
/override ci/prow/okd-hco-e2e-image-index-aws
okd-hco-e2e-upgrade-index-gcp lane succeeded.
/override ci/prow/okd-hco-e2e-upgrade-index-aws

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/okd-hco-e2e-image-index-aws, ci/prow/okd-hco-e2e-upgrade-index-aws

In response to this:

okd-hco-e2e-image-index-gcp lane succeeded.
/override ci/prow/okd-hco-e2e-image-index-aws
okd-hco-e2e-upgrade-index-gcp lane succeeded.
/override ci/prow/okd-hco-e2e-upgrade-index-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[hco-bot]

hco-e2e-upgrade-prev-index-sno-azure lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-index-sno-aws

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-prev-index-sno-aws

In response to this:

hco-e2e-upgrade-prev-index-sno-azure lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-index-sno-aws

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tiraboschi]

/retest

[hco-bot]

hco-e2e-upgrade-index-sno-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-index-sno-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-index-sno-azure

In response to this:

hco-e2e-upgrade-index-sno-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-index-sno-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[orenc1]

I have 2 comments:

1. In the opening message you mentioned that also a seccompProfile should be added to the deployments spec:

   seccompProfile:
      type: RuntimeDefault

But I don't see it in the code changes.

2. I think we should also update the kubevirt console plugin deployment with the new PSS, which is deployed by HCO and not in the CSV:
   

   hyperconverged-cluster-operator/controllers/operands/kubevirtConsolePlugin.go

   Line 62 in e8601c2

   return &appsv1.Deployment{

[tiraboschi]

I have 2 comments:

done, thanks

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[hco-bot]

hco-e2e-upgrade-prev-index-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-index-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-upgrade-prev-index-azure

In response to this:

hco-e2e-upgrade-prev-index-aws lane succeeded.
/override ci/prow/hco-e2e-upgrade-prev-index-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tiraboschi]

/retest

[hco-bot]

hco-e2e-image-index-sno-aws lane succeeded.
/override ci/prow/hco-e2e-image-index-sno-azure

[kubevirt-bot]

@hco-bot: Overrode contexts on behalf of hco-bot: ci/prow/hco-e2e-image-index-sno-azure

In response to this:

hco-e2e-image-index-sno-aws lane succeeded.
/override ci/prow/hco-e2e-image-index-sno-azure

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[tiraboschi]

/retest

[tiraboschi]

/retest

[tiraboschi]

/retest

[tiraboschi]

/retest

[tiraboschi]

   seccompProfile:
      type: RuntimeDefault

is not working on OCP/OKD < 4.11.
Waiting for openshift/release#30734 to properly consume OKD 4.11

[orenc1]

/retest

[openshift-ci]

@tiraboschi: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/hco-e2e-upgrade-prev-index-azure	b1411ac	link	true	/test hco-e2e-upgrade-prev-index-azure
ci/prow/hco-e2e-image-index-sno-azure	b1411ac	link	false	/test hco-e2e-image-index-sno-azure

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[orenc1]

@tiraboschi , looks like seccomp configuration on pods is not yet supported on OKD.
We're consuming OKD 4.10 - the latest release is 4.10.0-0.okd-2022-07-09-073606

        {
            "apiVersion": "v1",
            "count": 1,
            "eventTime": null,
            "firstTimestamp": "2022-07-24T09:56:09Z",
            "involvedObject": {
                "apiVersion": "apps/v1",
                "kind": "ReplicaSet",
                "name": "hco-operator-7f479f7b55",
                "namespace": "kubevirt-hyperconverged",
                "resourceVersion": "28140",
                "uid": "dafe5a10-dc54-467a-b39f-3f6a010f4bd3"
            },
            "kind": "Event",
            "lastTimestamp": "2022-07-24T09:56:09Z",
            "message": "Error creating: pods \"hco-operator-7f479f7b55-zrskt\" is forbidden: unable to validate against any security context constraint: [pod.metadata.annotations.seccomp.security.alpha.kubernetes.io/pod: Forbidden: seccomp may not be set pod.metadata.annotations.container.seccomp.security.alpha.kubernetes.io/hyperconverged-cluster-operator: Forbidden: seccomp may not be set provider \"anyuid\": Forbidden: not usable by user or serviceaccount provider \"nonroot\": Forbidden: not usable by user or serviceaccount provider \"hostmount-anyuid\": Forbidden: not usable by user or serviceaccount provider \"machine-api-termination-handler\": Forbidden: not usable by user or serviceaccount provider \"hostnetwork\": Forbidden: not usable by user or serviceaccount provider \"hostaccess\": Forbidden: not usable by user or serviceaccount provider \"node-exporter\": Forbidden: not usable by user or serviceaccount provider \"privileged\": Forbidden: not usable by user or serviceaccount]",
            "metadata": {
                "creationTimestamp": "2022-07-24T09:56:09Z",
                "name": "hco-operator-7f479f7b55.1704bb5cbbefba90",
                "namespace": "kubevirt-hyperconverged",
                "resourceVersion": "28146",
                "uid": "73566fde-adc5-4d89-b8e7-aae2433cb05e"
            },
            "reason": "FailedCreate",
            "reportingComponent": "",
            "reportingInstance": "",
            "source": {
                "component": "replicaset-controller"
            },
            "type": "Warning"
        },

Assuming we must set this up for OCP 4.12, maybe we can manually add the restriced-v2 SCC from OCP, for OKD clusters.

[orenc1]

openshift/release#30734 is merged.
retesting with OKD 4.11
/retest

[tiraboschi]

/cherry-pick release-1.7

[kubevirt-bot]

@tiraboschi: once the present PR merges, I will cherry-pick it on top of release-1.7 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[orenc1]

/approve

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: orenc1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [orenc1]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[kubevirt-bot]

@tiraboschi: #2036 failed to apply on top of branch "release-1.7":

Applying: Comply with OCP 4.11 and 4.12 Pod Security Standards
Using index info to reconstruct a base tree...
M	controllers/operands/kubevirtConsolePlugin.go
A	deploy/index-image/community-kubevirt-hyperconverged/1.8.0/manifests/kubevirt-hyperconverged-operator.v1.8.0.clusterserviceversion.yaml
A	deploy/olm-catalog/community-kubevirt-hyperconverged/1.8.0/manifests/kubevirt-hyperconverged-operator.v1.8.0.clusterserviceversion.yaml
M	deploy/operator.yaml
Falling back to patching base and 3-way merge...
Auto-merging deploy/operator.yaml
Auto-merging deploy/olm-catalog/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml
CONFLICT (content): Merge conflict in deploy/olm-catalog/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml
Auto-merging deploy/index-image/community-kubevirt-hyperconverged/1.7.0/manifests/kubevirt-hyperconverged-operator.v1.7.0.clusterserviceversion.yaml
Auto-merging controllers/operands/kubevirtConsolePlugin.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Comply with OCP 4.11 and 4.12 Pod Security Standards
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.