Scans fail with OpenShift 4.15 clusters

[rhmdnd]

OpenShift 4.15 clusters are more strict about SCCs associated with pods, which causes the scanner pods to fail, leaving the scan in a LAUNCHING state forever (or at least until it times out).

Here is an example of the trace from the operator log:

{"level":"error","ts":"2023-11-17T15:39:07.613Z","logger":"scanctrl","msg":"Failed to launch a pod","Request.Namespace":"openshift-compliance","Request.Name":"upstream-ocp4-cis-node-worker","Pod.Name":"openscap-pod-8bf02d4b600c7b5be62eb0d10093b098b6f7679e","error":"pods \"openscap-pod-8bf02d4b600c7b5be62eb0d10093b098b6f7679e\" is forbidden: violates PodSecurity \"restricted:latest\": privileged (containers \"runtime-kubeletconfig-helper\", \"scanner\" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (containers \"runtime-kubeletconfig-helper\", \"scanner\" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers \"runtime-kubeletconfig-helper\", \"scanner\" must set securityContext.capabilities.drop=[\"ALL\"]), restricted volume types (volume \"host\" uses restricted volume type \"hostPath\"), runAsNonRoot != true (pod or containers \"content-container\", \"runtime-kubeletconfig-helper\", \"log-collector\", \"scanner\" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers \"content-container\", \"runtime-kubeletconfig-helper\", \"log-collector\", \"scanner\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\")",

I was able to recreate this with 587e038 using make deploy-local and applying any scan binding that runs a node scan (e.g., ocp4-cis-node).

[rhmdnd]

This seems to have resolved itself?

[rhmdnd]

Looks like @xiaojiey may have hit this in ComplianceAsCode/content#11241 (comment)