Bug 1404163

Summary: [RFE] SCCs should be allowed to images as well as to users.
Product: OpenShift Container Platform Reporter: Javier Ramirez <javier.ramirez>
Component: RFEAssignee: Michal Fojtik <mfojtik>
Status: CLOSED DEFERRED QA Contact: Xiaoli Tian <xtian>
Severity: high Docs Contact:
Priority: unspecified    
Version: 3.4.0CC: aos-bugs, clichybi, eparis, javier.ramirez, jialiu, jokerman, lmeyer, mbarrett, mfojtik, mmccomas, sjr, vsemushi
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-12 13:54:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Comment 1 Javier Ramirez 2016-12-13 09:05:04 UTC 
Let's start this RFE with the sample use case we want to cover: "As a user, I would like some SCCs to be allowed to the users ONLY IF POD IMAGE(S) BELONG TO A WHITE LIST.". 

In some regions, we had to forbid users to deploy images with root user. However, there are some images that only can run as root. What we want to do is to allow only that white list of certified and verified corporate images to be run as root, while any other kind of image should not be allowed.

The way to achieve this (and probably other use cases) would be the ability to restrict an SCC not only to a list of users but also to a white list images. So, if a user with permissions on that SCC tries to deploy an image not present at the white list, he would not be allowed to use that SCC for that.

Image white lists must be specifiable both with image tags names (i.e. "myregistry.local/repo/image:tag") and with SHA256 sums. It is important to support both becase we do need to keep compatibility with v1-only registries, as
Comment 2 Dan McPherson 2016-12-13 12:13:24 UTC 
As soon as you give a user the ability to run as root in a project with any image, you have the same surface area for attack as if you gave them access to all images as root.  It seems like what you really want is user namespaces to be able to run images as root and not have a security risk.
Comment 3 Dan McPherson 2016-12-13 12:15:49 UTC 

*** This bug has been marked as a duplicate of bug 1352616 ***
Comment 13 Eric Rich 2018-03-12 13:54:36 UTC 
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.