Bug 1568292
Summary: | [3.5]Failed to prevent s2i builder images from running as root | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Dongbo Yan <dyan> |
Component: | Build | Assignee: | Adam Kaplan <adam.kaplan> |
Status: | CLOSED ERRATA | QA Contact: | Dongbo Yan <dyan> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.5.1 | CC: | adam.kaplan, aos-bugs, bparees, dyan, wzheng |
Target Milestone: | --- | ||
Target Release: | 3.5.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause: the pod admission controller returned false positives that impacted logic used by the OpenShift build controller
Consequence: source-to-image (s2i) build containers were allowed to run as the root user
Fix: pod admission controller checks for s2i builds return correct results
Result: s2i build containers are not allowed to run as the root user by default
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-12-03 17:35:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dongbo Yan
2018-04-17 07:28:52 UTC
Also can reproduce on release verson v3.5.5.31.66, so removing regression keyword. Could not reproduce with default installation (origin 1.5 via oc cluster up). These builds can be allowed if the cluster admin grants the `builder` service account an elevated security context constraint, such as `anyuid`. Can you please provide the security context constraints applied to the builder service account for these tests? Related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1464356 Pull Request: https://github.com/openshift/ose/pull/1272 Verified oc v3.5.5.31.80 kubernetes v1.5.2+43a9be4 features: Basic-Auth GSSAPI Kerberos SPNEGO Server openshift v3.5.5.31.80 kubernetes v1.5.2+43a9be4 # oc logs -f build/ruby-sample-build-user0-1 Cloning "https://github.com/openshift/ruby-hello-world.git" ... Commit: 7ccd3242c49c3868195ca9400a539fa611111096 (Merge pull request #71 from bparees/gemfile2) Author: Ben Parees <bparees.github.com> Date: Fri Feb 9 18:24:07 2018 -0500 error: build error: image "docker.io/aosqe/ruby-20-centos7:user0" must specify a user that is numeric and within the range of allowed users Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3624 |