Bug 1464356

Summary: Failed to prevent s2i builder images from running as root
Product: OpenShift Container Platform Reporter: Dongbo Yan <dyan>
Component: BuildAssignee: Ben Parees <bparees>
Status: CLOSED CURRENTRELEASE QA Contact: Dongbo Yan <dyan>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.6.0CC: aos-bugs, deads, smunilla
Target Milestone: ---Keywords: Regression
Target Release: 3.6.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 15:23:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dongbo Yan 2017-06-23 08:30:11 UTC 
Description of problem:
Failed to prevent s2i builder images from running as root

Version-Release number of selected component (if applicable):
openshift v3.6.122
kubernetes v1.6.1+5115d708d7

How reproducible:
Always

Steps to Reproduce:
1.Build image with Dockerfile set instruction "USER 0" in it
2.Use above built image to do s2i build
 $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/build/tc499515/test-buildconfig-user0.json
3.Check build status

Actual results:
Build is completed

Expected results:
Build is failed with error in log:
"must specify a user that is numeric and within the range of allowed users"

Additional info:
Comment 1 Ben Parees 2017-06-23 15:27:15 UTC 
David, any chance this is related to the scc/admission work you've been doing?  I know you mentioned we're doing this in a weird way.
Comment 2 David Eads 2017-06-26 13:43:51 UTC 
@bparees  I don't think so.  My work still hasn't merged: https://github.com/openshift/origin/pull/14775
Comment 3 Ben Parees 2017-06-26 22:52:21 UTC 
PR: https://github.com/openshift/origin/pull/14891
Comment 4 openshift-github-bot 2017-06-27 14:50:45 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/d186041d1a4a94b391c6783458e206b6d12f0557
pass an internal pod object to SCC admission control so it works

https://bugzilla.redhat.com/show_bug.cgi?id=1464356

bug 1464356
Comment 6 Dongbo Yan 2017-07-03 02:49:08 UTC 
Test with
openshift v3.6.131
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

build is failed, and show "must specify a user that is numeric and within the range of allowed users" in build log

could move to verified