Bug 1830496

Summary: PTP operator is in openshift.io/run-level 1 and bypassing SCC
Product: OpenShift Container Platform Reporter: Mark McLoughlin <markmc>
Component: NetworkingAssignee: Federico Paolinelli <fpaoline>
Networking sub component: ptp QA Contact: huirwang
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: unspecified CC: bbennett, huirwang
Version: 4.5   
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-13 17:34:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1805488, 1966621    

Description Mark McLoughlin 2020-05-02 08:44:00 UTC 
The openshift-ptp namespace is labelled with openshift.io/run-level: "1"

From bug #1805488:

Run-level 1 bypasses SCC, but many components have no need for that (are less secure as a result).  Every component that does not need to be up before SCC starts should be in either the anyuid or restricted SCC profile so they get a stable SELinux label.

Because these components are running without the appropriate restrictions, the security profile of these core components is weaker than it should be.

All platform components that can run without a run level MUST do so, and use anyuid or restricted unless they can make a case for host network or privileged. Those components should be granted access to the protected SCCs.

Each component listed here must be reviewed to determine whether it must be in run-level 1 or not, and if not, the label should be removed and appropriate SCC bindings created.


If the PTP operator has a genuine need to run at this level, it would at least be helpful to briefly document the reason for that as a comment above the label.
Comment 1 Federico Paolinelli 2020-05-08 16:21:35 UTC 
Opened https://github.com/openshift/ptp-operator/pull/55
Comment 5 errata-xmlrpc 2020-07-13 17:34:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409