[BUG]: cert-csi not using the Privileged Pod security profile

[dancohen21]

Bug Description

Environment: OpenShift 4.15 with PowerStore trying to run cert-csi, and running into an issue with the ephemeral-volume test. This is the first error: [2024-09-30 14:33:43] ERROR suite EphemeralVolumeSuite failed; error=pods "pod-ephemeral-test-q4nn6" is forbidden: pod-ephemeral-test-q4nn6 uses an inline volume provided by CSIDriver csi-powerstore.dellemc.com and namespace functional-test-78be1761 has a pod security enforce level that is lower than privileged name=EphemeralVolumeSuite num=8 sc=powerstore-ext4 [2024-09-30 14:33:43] INFO FAILURE: EphemeralVolumeSuite in 26.078043377s name=EphemeralVolumeSuite num=8 sc=powerstore-ext4

here are my files: cert-csi-tests.yaml storageClasses:

• name: powerstore-ext4 minSize: "5Gi" rawBlock: true expansion: true clone: true snapshot: true volumeHealth: false # Set this to enable the execution of the VolumeHealthMetricsSuite.

  Make sure to enable healthMonitor for the driver's controller and node pods before running this suite. It is recommended to use a smaller interval time for this sidecar and pass the required arguments.

  VGS: false # Set this to enable the execution of the VolumeGroupSnapSuite.

  Additionally, make sure to provide the necessary required arguments such as volumeSnapshotClass, vgs-volume-label, and any others as needed.

  RWOP: true # Set this to enable the execution of the MultiAttachSuite with the AccessMode set to ReadWriteOncePod. ephemeral: driver: csi-powerstore.dellemc.com volumeAttributes: size: "10Gi" protocol: "ISCSi" running the certify script cert-csi certify --cert-config cert-csi-tests.yaml --vsc powerstore-snapshot

Per: https://access.redhat.com/solutions/7076474 Added to the csi-powerstore CSIDriver object: labels: security.openshift.io/csi-ephemeral-volume-profile: privileged

full csi-powerstore CSIDriver object:

Please edit the object below. Lines beginning with a '#' will be ignored,

and an empty file will abort the edit. If an error occurs while saving this file will be

reopened with the relevant failures.

# apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: creationTimestamp: "2024-09-18T01:27:16Z" labels: security.openshift.io/csi-ephemeral-volume-profile: privileged name: csi-powerstore.dellemc.com resourceVersion: "22861997" uid: b3a13926-7a14-40ca-88fb-cc871eaaa679 spec: attachRequired: true fsGroupPolicy: ReadWriteOnceWithFSType podInfoOnMount: true requiresRepublish: false seLinuxMount: false storageCapacity: true volumeLifecycleModes:

• Persistent
• Ephemeral

However, the cert-csi script is dynamically creating the namespace and not applying the label to the namespace. without the label this cert-csi script won't pass certification on OpenShift 4.13+

Logs

[2024-09-30 14:33:43] ERROR suite EphemeralVolumeSuite failed; error=pods "pod-ephemeral-test-q4nn6" is forbidden: pod-ephemeral-test-q4nn6 uses an inline volume provided by CSIDriver csi-powerstore.dellemc.com and namespace functional-test-78be1761 has a pod security enforce level that is lower than privileged name=EphemeralVolumeSuite num=8 sc=powerstore-ext4 [2024-09-30 14:33:43] INFO FAILURE: EphemeralVolumeSuite in 26.078043377s name=EphemeralVolumeSuite num=8 sc=powerstore-ext4

Screenshots

No response

Additional Environment Information

No response

Steps to Reproduce

OpenShift 4.15 with PowerStore CSI driver

here are my files: cert-csi-tests.yaml storageClasses:

• name: powerstore-ext4 minSize: "5Gi" rawBlock: true expansion: true clone: true snapshot: true volumeHealth: false # Set this to enable the execution of the VolumeHealthMetricsSuite.

  Make sure to enable healthMonitor for the driver's controller and node pods before running this suite. It is recommended to use a smaller interval time for this sidecar and pass the required arguments.

  VGS: false # Set this to enable the execution of the VolumeGroupSnapSuite.

  Additionally, make sure to provide the necessary required arguments such as volumeSnapshotClass, vgs-volume-label, and any others as needed.

  RWOP: true # Set this to enable the execution of the MultiAttachSuite with the AccessMode set to ReadWriteOncePod. ephemeral: driver: csi-powerstore.dellemc.com volumeAttributes: size: "10Gi" protocol: "ISCSi" running the certify script cert-csi certify --cert-config cert-csi-tests.yaml --vsc powerstore-snapshot

Expected Behavior

The cert-csi script doesn't seem to conform to the Openshift security requirements for the ephemeral volumes test. https://docs.openshift.com/container-platform/4.13/storage/container_storage_interface/ephemeral-storage-csi-inline.html?extIdCarryOver=true&sc_cid=701f2000001Css5AAC#security-profile-enforcement

CSM Driver(s)

CSM 1.10.2, CSM-Operator 1.5.1 and csi-powerstore 2.10.1

Installation Type

CSM-Operator 1.5.1

Container Storage Modules Enabled

No response

Container Orchestrator

OpenShift 4.15

Operating System

RHCOS based on RHEL 9.2

[atye]

/sync

[dancohen21]

I build the cert-csi software using the "security_context_changes" branch and it passes certification with OpenShift 4.15 and CSI-PowerStore 2.10.1

was this branch in response or related to this open issue?

[csmbot]

link: 28641

[atye]

@sakshi-garg1 Are you working on this? See 28641.

[dancohen21]

Possibly another one? Environment: OpenShift 4.15 with PowerStore trying to run cert-csi, and running into an issue with the capacityTrackingSuite test. This is the first error:

[2024-10-01 16:10:17] ERROR suite CapacityTrackingSuite failed; error=exit status 1 name=CapacityTrackingSuite num=9 sc=powerstore-nfs [2024-10-01 16:10:17] INFO FAILURE: CapacityTrackingSuite in 36.593444355s name=CapacityTrackingSuite num=9 sc=powerstore-nfs W1001 16:10:18.018404 826466 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "prov-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "prov-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "prov-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "prov-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

[sakshi-garg1]

In OCP environment for ephemeral suite to pass it is mandatory for you to set this label in CSIDriver : oc label csidriver csi-powerstore.dellemc.com security.openshift.io/csi-ephemeral-volume-profile=restricted

Also the cert-csi branch "security_context_changes" has changes related to OCP 4.17 rc build in which I was seeing these security context errors. But in 4.17 GA build these errors are automatically showing up as warnings and suite is working fine.

[dancohen21]

18 of 19 cert-csi test suite pass with:

cert-csi release 1.5.0 PowerStore 3.6.1.2 connected with ISCSI OpenShift 4.14 using csm-operator 1.5.1 and csi-powerstore 2.10.1 using the powerstore sample on https://dell.github.io/csm-docs/docs/support/cert-csi/

[root@ocpcsi-bastion-10-241-171-47 dsc]# ./cert-csi-linux-amd64 certify --cert-config tests-full.yaml --vsc powerstore-snapshot [2024-10-03 17:37:21] INFO Starting cert-csi; ver. 1.5.0 [2024-10-03 17:37:21] INFO Suites to run with powerstore-xfs storage class: [2024-10-03 17:37:21] INFO 1. VolumeIoSuite {volumes: 2, volumeSize: 5Gi chains: 2-2} [2024-10-03 17:37:21] INFO 2. ScalingSuite {replicas: 2, volumes: 5, volumeSize: 5Gi} [2024-10-03 17:37:21] INFO 3. CloneVolumeSuite {pods: 2, volumes: 1, volumeSize: 5Gi} [2024-10-03 17:37:21] INFO 4. VolumeExpansionSuite {pods: 1, volumes: 1, size: 5Gi, expSize: 10Gi, block: false} [2024-10-03 17:37:21] INFO 5. VolumeExpansionSuite {pods: 1, volumes: 1, size: 5Gi, expSize: 10Gi, block: true} [2024-10-03 17:37:21] INFO 6. SnapSuite {snapshots: 3, volumeSize; 5Gi} [2024-10-03 17:37:21] INFO 7. ReplicationSuite {pods: 2, volumes: 5, volumeSize: 5Gi} [2024-10-03 17:37:21] INFO 8. MultiAttachSuite {pods: 5, rawBlock: true, size: 5Gi, accMode: ReadWriteMany} [2024-10-03 17:37:21] INFO 9. EphemeralVolumeSuite {driver: csi-powerstore.dellemc.com, podNumber: 2, volAttributes: map[arrayid:PSe69390685e6a protocol:iSCSI size:10Gi]} [2024-10-03 17:37:21] INFO Suites to run with powerstore-nfs-waitforfirstconsumer storage class: [2024-10-03 17:37:21] INFO 1. VolumeIoSuite {volumes: 2, volumeSize: 5Gi chains: 2-2} [2024-10-03 17:37:21] INFO 2. ScalingSuite {replicas: 2, volumes: 5, volumeSize: 5Gi} [2024-10-03 17:37:21] INFO 3. CloneVolumeSuite {pods: 2, volumes: 1, volumeSize: 5Gi} [2024-10-03 17:37:21] INFO 4. VolumeExpansionSuite {pods: 1, volumes: 1, size: 5Gi, expSize: 10Gi, block: false} [2024-10-03 17:37:21] INFO 5. SnapSuite {snapshots: 3, volumeSize; 5Gi} [2024-10-03 17:37:21] INFO 6. ReplicationSuite {pods: 2, volumes: 5, volumeSize: 5Gi} [2024-10-03 17:37:21] INFO 7. MultiAttachSuite {pods: 5, rawBlock: false, size: 5Gi, accMode: ReadWriteMany} [2024-10-03 17:37:21] INFO 8. MultiAttachSuite {pods: 5, rawBlock: false, size: 5Gi, accMode: ReadWriteOncePod} [2024-10-03 17:37:21] INFO 9. EphemeralVolumeSuite {driver: csi-powerstore.dellemc.com, podNumber: 2, volAttributes: map[arrayid:PSe69390685e6a nasname:nas server protocol:NFS size:100Gi]} [2024-10-03 17:37:21] INFO 10. CapacityTrackingSuite {DriverNamespace: powerstore, volumeSize: 5Gi, pollInterval: 2m0s} Does it look OK? (Y)es/(n)o -> y

required configuration as per https://github.com/dell/csm/issues/1488, label the powerstore-xfs storage class with oc label csidriver csi-powerstore.dellemc.com security.openshift.io/csi-ephemeral-volume-profile=restricted This configuration is required and not found in the documentation.

the test that failed: CapacityTrackingSuite [2024-10-03 17:42:41] ERROR suite CapacityTrackingSuite failed; error=timed out waiting for the condition name=CapacityTrackingSuite num=9 sc=powerstore-nfs-waitforfirstconsumer [2024-10-03 17:42:42] INFO FAILURE: CapacityTrackingSuite in 5m16.425024137s name=CapacityTrackingSuite num=9 sc=powerstore-nfs-waitforfirstconsumer

[dancohen21]

Closing this issue; Opened https://github.com/dell/csm/issues/1502 to simplify communication.