Bug 1274601

Summary: Remote shell and exec is allowed on privileged pods
Product: OpenShift Container Platform Reporter: Jianwei Hou <jhou>
Component: NodeAssignee: Paul Weil <pweil>
Status: CLOSED CURRENTRELEASE QA Contact: Jianwei Hou <jhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0.0CC: aos-bugs, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-23 14:25:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jianwei Hou 2015-10-23 06:20:00 UTC
Description of problem:
This is a regression of bug 1255022. Remote shell and exec is allowed on privileged pods

Version-Release number of selected component (if applicable):
openshift v3.0.2.902
kubernetes v1.2.0-alpha.1-1107-g4c8e6f4
etcd 2.1.2

How reproducible:

Steps to Reproduce:
1. Edit scc to allow privileged pods
2. oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/storage/nfs/nfs-server.yaml
3. oc rsh nfs-server
4. oc exec nfs-server ls

Actual results:
Step 3 and 4 are both successful

Expected results:
Step 3 and 4 should fail because the container is prvileged

Additional info:

Comment 2 Paul Weil 2015-10-23 12:42:07 UTC
This was changed in https://github.com/openshift/origin/pull/4755 to allow someone who has permissions to create the pod to exec into it.  If, by SCC permissions, you could create the pod you're trying to reach you are allowed to use it.

This has replaced the blanket denial: https://github.com/openshift/origin/pull/4755/files#diff-05523003a782d7b3b61c2608a29dfb39

Comment 3 Jianwei Hou 2015-10-26 05:49:02 UTC
Thank you. So this is working correctly as we expect. I was able to exec/rsh to a pod I created.

Comment 4 Brenton Leanhardt 2015-11-23 14:25:39 UTC
This fix is available in OpenShift Enterprise 3.1.