Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Executing test opnfv/functest-kubernetes-security:v1.23 run_tests -t kube_bench_node failed because of PSP #1395

Open
sultetveny opened this issue Mar 10, 2023 · 0 comments
Open

Executing test opnfv/functest-kubernetes-security:v1.23 run_tests -t kube_bench_node failed because of PSP #1395

sultetveny opened this issue Mar 10, 2023 · 0 comments

Comments

@sultetveny
Copy link

sultetveny commented Mar 10, 2023
edited
Loading

Overview

I executed the kube_bench_node test suite on a K8S cluster where strict PSP defined and the test failed.

How did you run kube-bench?

podman run -it --env-file ~/opnfv/env \
-v ~/opnfv/ca.pem:/home/opnfv/functest/ca.pem:Z \
-v ~/opnfv/config:/root/.kube/config:Z \
-v ~/opnfv/results:/home/opnfv/functest/results:Z \
-v ~/opnfv/repositories.yml:/home/opnfv/functest/repositories.yml:Z \
-v ~/opnfv/cluster-admin.pem:/home/opnfv/functest/cluster-admin.pem:Z \
-v ~/opnfv/cluster-admin-key.pem:/home/opnfv/functest/cluster-admin-key.pem:Z \
opnfv/functest-kubernetes-security:v1.23 /bin/bash


run_tests -t kube_bench_node

What happened?

Test case failed. For more information please check attach
functest-kubernetes.debug.log
functest-kubernetes.log
ed file

Log from cluster

Events:
 Type     Reason        Age                From            Message
 ----     ------        ----               ----            -------
 Warning  FailedCreate  13s (x2 over 23s)  job-controller  Error creating: pods "kube-bench-node-" is forbidden: PodSecurityPolicy: unable to admit pod: [spec.securityContext.hostPID: Invalid value: true: Host PID is not allowed to be used spec.volumes[0].hostPath.pathPrefix: Invalid value: "/var/lib/kubelet": is not allowed to be used spec.volumes[1].hostPath.pathPrefix: Invalid value: "/etc/systemd": is not allowed to be used spec.volumes[2].hostPath.pathPrefix: Invalid value: "/etc/kubernetes": is not allowed to be used spec.volumes[3].hostPath.pathPrefix: Invalid value: "/usr/bin": is not allowed to be used]

What did you expect to happen:

I expected the test case executed successfully.

Environment

[What is your version of Kubernetes? (run kubectl version or oc version on OpenShift.)]

Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.15", GitCommit:"b84cb8ab29366daa1bba65bc67f54de2f6c34848", GitTreeState:"clean", BuildDate:"2022-12-08T10:49:13Z", GoVersion:"go1.17.13", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.15", GitCommit:"b84cb8ab29366daa1bba65bc67f54de2f6c34848", GitTreeState:"clean", BuildDate:"2022-12-08T10:42:57Z", GoVersion:"go1.17.13", Compiler:"gc", Platform:"linux/amd64"}

Running processes

Configuration files

Anything else you would like to add:

Ufortunately no configurable parameter (like namespace) available for execution, to make sure the proper PSP will be allocated for these PODs
because only the half of the namespace are predictable the other half is randomly generated, it's not possible to prepare the environment (pre create ns, sa, roler, rolebinding, psp)
The only way I found is to disable PSP on cluster level, but it's not so sophisticated. Maybe sa/role/rolebinding/psp should be created automatically, for this purpose.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sultetveny