Bug 1805488

Summary: Some core components are in openshift.io/run-level 1 and are bypassing SCC, but should not be
Product: OpenShift Container Platform Reporter: Clayton Coleman <ccoleman>
Component: SecurityAssignee: Stefan Schimanski <sttts>
Status: CLOSED EOL QA Contact: xiyuan
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, eparis, fcanogab, jialiu, markmc, mfojtik, nstielau, scuppett, sfowler, sponnaga, sttts, vlaad, wsun, xtian, xxia, ykashtan
Target Milestone: ---Keywords: Reopened, Tracking
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1805570 1806438 1806892 1806893 1806902 1806903 1806904 1806905 1806906 1806907 1806908 1806909 1806913 1806915 1806917 1806918 1806919 1966621 (view as bug list) Environment:
Last Closed: 2022-08-30 17:18:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1805572, 1805917, 1806438, 1806439, 1806892, 1806893, 1806902, 1806903, 1806904, 1806905, 1806906, 1806907, 1806908, 1806909, 1806913, 1806915, 1806917, 1806918, 1806919, 1807490, 1807659, 1807762, 1830496, 1830497    
Bug Blocks: 1966621    

Description Clayton Coleman 2020-02-20 21:27:33 UTC 
Run-level 1 bypasses SCC, but many components have no need for that (are less secure as a result).  Every component that does not need to be up before SCC starts should be in either the anyuid or restricted SCC profile so they get a stable SELinux label.

Because these components are running without the appropriate restrictions, the security profile of these core components is weaker than it should be.

All platform components that can run without a run level MUST do so, and use anyuid or restricted unless they can make a case for host network or privileged. Those components should be granted access to the protected SCCs.

Each component listed here must be reviewed to determine whether it must be in run-level 1 or not, and if not, the label should be removed and appropriate SCC bindings created.

NAME                                      STATUS   AGE
openshift-apiserver                       Active   36m
openshift-cloud-credential-operator       Active   43m
openshift-cluster-version                 Active   43m
openshift-controller-manager              Active   43m
openshift-insights                        Active   43m
openshift-kni-infra                       Active   43m
openshift-kube-storage-version-migrator   Active   36m
openshift-machine-api                     Active   43m
openshift-machine-config-operator         Active   43m
openshift-openstack-infra                 Active   43m
openshift-operator-lifecycle-manager      Active   43m
openshift-operators                       Active   43m
openshift-ovirt-infra                     Active   43m
openshift-service-ca                      Active   36m
openshift-service-ca-operator             Active   43m
openshift-support                         Active   43m
openshift-vsphere-infra                   Active   43m
Comment 1 Clayton Coleman 2020-02-20 21:30:10 UTC 
Insights and support handled in https://github.com/openshift/insights-operator/pull/78
Comment 2 Clayton Coleman 2020-02-20 21:31:57 UTC 
Components that may already have child pods in the namespace should grant the "anyuid" SCC to all pods in their namespace (group "system:serviceaccount:NAMESPACE") if there is a chance user workloads or arbitrary pods have already landed.
Comment 14 Sudha Ponnaganti 2020-03-05 00:14:07 UTC 

*** This bug has been marked as a duplicate of bug 1807436 ***
Comment 17 Stefan Schimanski 2020-03-12 15:32:17 UTC 
We made quite a bit of progress on the topic. But there are core components like service-ca and openshift-apiserver which need serious changes in the architecture to fix. Hence, we move this umbrella BZ to 4.5 for follow-up work.
Comment 18 Stephen Cuppett 2020-06-11 12:31:00 UTC 
This isn't a showstopper for 4.5.0 GA at this point. Setting target release to 4.6.0 (the current development branch). For fixes (if any) requested/required on prior versions, clones will be created targeting those z-stream releases as appropriate.
Comment 22 Mark Cooper 2021-06-21 04:45:00 UTC 
Infra namespaces fix: 

 - openshift-openstack-infra
 - openshift-kni-infra
 - openshift-ovirt-infra
 - openshift-vsphere-infra

https://bugzilla.redhat.com/show_bug.cgi?id=1973525
https://github.com/openshift/machine-config-operator/pull/2627/files
Comment 23 Mark Cooper 2021-06-29 03:04:08 UTC 
 - openshift-vertical-pod-autoscaler

https://bugzilla.redhat.com/show_bug.cgi?id=1974567 

 - openshift-kubevirt-infra

https://bugzilla.redhat.com/show_bug.cgi?id=1977129
Comment 24 Mark Cooper 2021-11-03 07:23:32 UTC 
 - MCO 

https://bugzilla.redhat.com/show_bug.cgi?id=1978581

 - CVO there is this comment here: https://github.com/openshift/cluster-version-operator/pull/24 saying that it is required, but that was 2018, not sure if it still is.
Comment 25 Matt Catsimanes 2021-12-17 01:49:39 UTC 
@sponnaga
Comment 26 Mark Cooper 2021-12-17 01:53:15 UTC 
CVO 
 - https://github.com/openshift/cluster-version-operator/pull/623
 - https://bugzilla.redhat.com/show_bug.cgi?id=2020107
Comment 30 Yuval Kashtan 2022-02-23 20:23:28 UTC 
I think we've fully removed `run-level: 1` from openshift now
and we can close this one :-)
Comment 35 Vikas Laad 2022-08-30 17:18:52 UTC 
4.7 is EOL now, closing all the bugs.
Comment 36 Red Hat Bugzilla 2023-09-15 01:29:11 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days