Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scorecard container is not config as restricted and would violate the Pod Security Standard #5939

Closed
camilamacedo86 opened this issue Jul 9, 2022 · 1 comment
Closed

Scorecard container is not config as restricted and would violate the Pod Security Standard #5939

camilamacedo86 opened this issue Jul 9, 2022 · 1 comment
Assignees
@theishshah
Labels
scorecard Issue relates to the scorecard subcomponent
Milestone
v1.27.0

Comments

@camilamacedo86
Copy link
Contributor

Bug Report

x$ operator-sdk scorecard ./testdata/go/v3/memcached-operator/bundle/
W0709 11:17:16.475078   11104 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "scorecard-untar", "scorecard-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "scorecard-untar", "scorecard-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "scorecard-untar", "scorecard-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

What did you do?

Run the scorecard tests for the sample ./testdata/go/v3/memcached-operator/bundle/

What did you expect to see?

No alerts or WARNS regards the scorecard containers would be violating the Pod Security Standards

What did you see instead? Under which circumstances?

The containers violate the definition and cannot run as restricted

Environment

Operator type:

/language go
/language ansible
/language helm

Kubernetes cluster type:

Kind 'k8s 1.24

$ operator-sdk version

$ operator-sdk version
operator-sdk version: "v1.22.0-21-ge7c9b74e-dirty", commit: "e7c9b74e20ab2dd17ab246c8c9e867b8c9b5b079", kubernetes version: "v1.24.1", go version: "go1.18.3", GOOS: "darwin", GOARCH: "amd64"

$ go version (if language is Go)

go 1.18

Possible Solution

Ensure that the Pod/Containers used for Scorecard can run as restricted:

    spec:
      securityContext:
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      ...
      containers:
      - name: controller-manager
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL

However, if the Scorecard image used does not define a USER we might check the following error:

"container has runAsNonRoot and image will run as root …

Then, in this case, we can define a USER in the Dockerfile instead of using runAsUser in the security context, such as:

USER 65532:65532 
OR
USER 1001

Additional context

https://master.sdk.operatorframework.io/docs/best-practices/pod-security-standards/
@camilamacedo86 camilamacedo86 added the scorecard Issue relates to the scorecard subcomponent label Jul 9, 2022
@asmacdo asmacdo modified the milestones: v1.23.0, v1.24.0 Jul 11, 2022
@tthvo tthvo mentioned this issue Sep 8, 2022
Merged
This was referenced Sep 15, 2022
Merged
Closed
@asmacdo asmacdo modified the milestones: v1.24.0, v1.25.0 Sep 21, 2022
@jmrodri jmrodri changed the title Scorcard container is not config as restricted and would violate the Pod Security Standard Scorecard container is not config as restricted and would violate the Pod Security Standard Oct 12, 2022
@jmrodri jmrodri modified the milestones: v1.25.0, v1.26.0 Oct 25, 2022
@bcrochet
Copy link
Contributor

I have a solution for this, and will post it shortly. If you'd like to assign this to me, that'd be fine.

bcrochet added a commit to bcrochet/operator-sdk that referenced this issue Nov 15, 2022
@bcrochet
Configure test pod to comply with Pod Security Standard
40fe52d 
The test pod is not yet created in accordance with the Pod Security
Standard enforced in k8s 1.24. For compliance, the main pod security
context needs:

RunAsNonRoot: true
SeccompProfile:
  Type: RuntimeDefault

And each container needs:

SecurityContext:
  AllowPrivilegeEscalation: false
  Capabilities:
    Drop:
      'ALL'

Fixes operator-framework#5939

Signed-off-by: Brad P. Crochet <brad@redhat.com>
@bcrochet bcrochet mentioned this issue Nov 15, 2022
Closed
2 tasks
bcrochet added a commit to bcrochet/operator-sdk that referenced this issue Nov 16, 2022
@bcrochet
Configure test pod to comply with Pod Security Standard
35b659c 
The test pod is not yet created in accordance with the Pod Security
Standard enforced in k8s 1.24. For compliance, the main pod security
context needs:

RunAsNonRoot: true
SeccompProfile:
  Type: RuntimeDefault

And each container needs:

SecurityContext:
  AllowPrivilegeEscalation: false
  Capabilities:
    Drop:
      'ALL'

Fixes operator-framework#5939

Signed-off-by: Brad P. Crochet <brad@redhat.com>
bcrochet added a commit to bcrochet/operator-sdk that referenced this issue Nov 18, 2022
@bcrochet
Configure test pod to comply with Pod Security Standard
b4500a8 
The test pod is not yet created in accordance with the Pod Security
Standard enforced in k8s 1.24. For compliance, the main pod security
context needs:

RunAsNonRoot: true
SeccompProfile:
  Type: RuntimeDefault

And each container needs:

SecurityContext:
  AllowPrivilegeEscalation: false
  Capabilities:
    Drop:
      'ALL'

Fixes operator-framework#5939

Signed-off-by: Brad P. Crochet <brad@redhat.com>
bcrochet added a commit to bcrochet/operator-sdk that referenced this issue Nov 18, 2022
@bcrochet
Configure test pod to comply with Pod Security Standard
72ce349 
The test pod is not yet created in accordance with the Pod Security
Standard enforced in k8s 1.24. For compliance, the main pod security
context needs:

RunAsNonRoot: true
SeccompProfile:
  Type: RuntimeDefault

And each container needs:

SecurityContext:
  AllowPrivilegeEscalation: false
  Capabilities:
    Drop:
      'ALL'

Fixes operator-framework#5939

Signed-off-by: Brad P. Crochet <brad@redhat.com>
bcrochet added a commit to bcrochet/operator-sdk that referenced this issue Nov 18, 2022
@bcrochet
Configure test pod to comply with Pod Security Standard
1297b79 
The test pod is not yet created in accordance with the Pod Security
Standard enforced in k8s 1.24. For compliance, the main pod security
context needs:

RunAsNonRoot: true
SeccompProfile:
  Type: RuntimeDefault

And each container needs:

SecurityContext:
  AllowPrivilegeEscalation: false
  Capabilities:
    Drop:
      'ALL'

Fixes operator-framework#5939

Signed-off-by: Brad P. Crochet <brad@redhat.com>
@jberkhahn jberkhahn modified the milestones: v1.26.0, v1.27.0 Dec 8, 2022
@oceanc80 oceanc80 mentioned this issue Feb 1, 2023
Merged
@acornett21 acornett21 mentioned this issue Feb 7, 2023
Closed
@tthvo tthvo mentioned this issue Sep 8, 2023
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@theishshah theishshah

Labels
scorecard Issue relates to the scorecard subcomponent
Projects
None yet
Milestone
v1.27.0
Development

Successfully merging a pull request may close this issue.

Configure test pod to comply with Pod Security Standard bcrochet/operator-sdk
6 participants
@jmrodri @bcrochet @asmacdo @jberkhahn @theishshah @camilamacedo86