Bug 1914398
| Summary: | multus admission controller and metrics daemon running as root | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | John McMeeking <jmcmeek> |
| Component: | Networking | Assignee: | Nikhil Simha <nsimha> |
| Networking sub component: | multus | QA Contact: | Weibin Liang <weliang> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | medium | CC: | bbennett, dosmith |
| Version: | 4.6 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-18 17:28:58 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Looks good! Thanks Nikhil
------------------------------ results
$ oc exec -n openshift-multus multus-admission-controller-gfjrl -c multus-admission-controller -- ps -e -o pid,uid,cmd
PID UID CMD
1 65534 /usr/bin/webhook -bind-address=0.0.0.0 -port=6443 -tls-private-key-file=/etc/webhook/tls.key -tls-cert-file=/etc/webhook/tls.crt -alsologtostderr=true -metrics-listen-address=127.0.0.1:9091
17 65534 ps -e -o pid,uid,cmd
$ oc exec -n openshift-multus network-metrics-daemon-bcn9c -c network-metrics-daemon -- ps -e -o pid,uid,cmd
PID UID CMD
1 65534 /usr/bin/network-metrics --node-name ci-ln-7bfwsy2-f76d1-npgwd-master-2
16 65534 ps -e -o pid,uid,cmd
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |
Description of problem: We see these pods running as root in our 4.6 cluster. I didn't see a reason why they need to do that. - openshift-multus/multus-admission-controller (multus-admission-controller container) - openshift-multus/network-metrics-daemon (network-metrics-daemon container) To run in a financial services environment we need to explain why these are running as root or (preferably) change them if root is not required. Can you provide an explanation or change these as appropriate? Version-Release number of selected component (if applicable): $ oc version Client Version: 4.5.0-202005291417-9933eb9 Server Version: 4.6.9 Kubernetes Version: v1.19.0+7070803 How reproducible: Always Steps to Reproduce: 1. Run 'oc exec -n NS POD -- ps -e -o pid,uid,cmd' Actual results: + oc exec -n openshift-multus multus-admission-controller-5t6l4 -c multus-admission-controller -- ps -e -o pid,uid,cmd PID UID CMD 1 0 /usr/bin/webhook -bind-address=0.0.0.0 -port=6443 -tls-private-key-file=/etc/webhook/tls.key -tls-cert-file=/etc/webhook/tls.crt -alsologtostderr=true -metrics-listen-address=127.0.0.1:9091 + oc exec -n openshift-multus network-metrics-daemon-5t8sw -c network-metrics-daemon -- ps -e -o pid,uid,cmd PID UID CMD 1 0 /usr/bin/network-metrics --node-name 10.171.43.196 Expected results: UID is not 0 Additional info: