StarlingX

ptp-notification fluxcd app fails to start because of PodSecuirty violation

Bug #1978737 reported by Cole Walker on 2022-06-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Cole Walker

Bug Description

Brief Description
-----------------
Attempting to apply ptp-notification results in the ptp-ptp-notification daemonset being unable to start its pods with a PodSecurity error.

Severity
--------
Provide the severity of the defect.
<Critical: System/Feature is not usable due to the defect>

Steps to Reproduce
------------------
system host-label-assign controller-0 ptp-notification=true
system host-label-assign controller-0 ptp-registration=true
system application-upload /usr/local/share/applications/helm/ptp-notification-<version>.tgz
system application-apply ptp-notification

Expected Behavior
------------------
ptp-ptp-notification daemonset schedules and starts the ptp-notification pod.

Actual Behavior
----------------
Pod fails to create with error:
Error creating: pods "ptp-ptp-notification-qlf5h" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)

Reproducibility
---------------
100%

System Configuration
--------------------
AIO-SX

Branch/Pull Time/Commit
-----------------------
master

Last Pass
---------
Appears to be related to the changes made in this review
https://review.opendev.org/c/starlingx/config/+/833487

Timestamp/Logs
--------------
Events:
  Type Reason Age From Message
  ---- ------ ---- ---- -------
  Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-qlf5h" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-sngr6" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-6jngz" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-v2vr5" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-blspq" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 3m43s daemonset-controller Error creating: pods "ptp-ptp-notification-w4l85" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 3m42s daemonset-controller Error creating: pods "ptp-ptp-notification-7g658" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 3m42s daemonset-controller Error creating: pods "ptp-ptp-notification-877jc" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 3m41s daemonset-controller Error creating: pods "ptp-ptp-notification-whw7w" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)
  Warning FailedCreate 59s (x7 over 3m40s) daemonset-controller (combined from similar events): Error creating: pods "ptp-ptp-notification-79vxn" is forbidden: violates PodSecurity "baseline:v1.23": non-default capabilities (container "ptp-notification-ptptracking" must not include "CAP_SYS_ADMIN" in securityContext.capabilities.add), hostPath volumes (volumes "ptpdir", "varrun", "pmc", "conf"), privileged (container "ptp-notification-ptptracking" must not set securityContext.privileged=true)

Test Activity
-------------
Normal use

Workaround
----------
Describe workaround if available

Tags:

Cole Walker (cwalops) on 2022-06-14

Changed in starlingx:
assignee:	nobody → Cole Walker (cwalops)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-14: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/845852

Changed in starlingx:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-15: Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/845852
Committed: https://opendev.org/starlingx/config/commit/b50407b5fa303c33f0e18bb3394e085adb82efd2
Submitter: "Zuul (22348)"
Branch: master

commit b50407b5fa303c33f0e18bb3394e085adb82efd2
Author: Cole Walker <email address hidden>
Date: Tue Jun 14 17:50:21 2022 -0400

[PTP] Update notification namespace to be privileged

The ptp-notification application requires a privileged namespace in
order to deploy and operate.

    This change moves the notification namespace from the baseline policy
    group to the privileged policy group so that it can continue to operate
    as it did prior to the addition of support for the Pod Security
    Admission controller introduced in the upversion to k8s 1.23.

The privileged and baseline groups were defined in
https://review.opendev.org/c/starlingx/config/+/833487

Test-plan:

    Pass: Update the privileged and baseline groups in common.py, restart
    sysinv-conductor and verify that ptp-notification is able to properly
    deploy.

Pass: Verify that the notification namespace has the expected
privileged labels.

Closes-Bug: 1978737

Signed-off-by: Cole Walker <email address hidden>
Change-Id: I5d24a8e81b32809f568a5953701cf2e0c474005e

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2022-06-16

Changed in starlingx:
importance:	Undecided → High
tags:	added: stx.7.0 stx.apps stx.networking

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.