Bug 1914407

Summary: Its not clear that node-ca is running as non-root
Product: OpenShift Container Platform Reporter: John McMeeking <jmcmeek>
Component: Image RegistryAssignee: Ricardo Maraschini <rmarasch>
Status: CLOSED ERRATA QA Contact: Wenjing Zheng <wzheng>
Severity: low Docs Contact:
Priority: low    
Version: 4.6CC: aos-bugs, rmarasch
Target Milestone: ---Keywords: UpcomingSprint
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Absence of explicit user id and group id on node-ca DaemonSet. Consequence: Confuse interpretation of what is the user and group in use in the node-ca pods. Fix: Explicitly provide node-ca DaemonSet with runAsUser and runAsGroup configuration to make things clear. Result: Better, easier and cleaner understanding by simply inspecting node-ca's DaemonSet yaml file.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:51:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description John McMeeking 2021-01-08 18:26:04 UTC
Description of problem:

The image registry "node-ca" securityContext says the pod is privileged and does not specify a user. I (perhaps naively) expected to see the container running as root, while it actually runs as uid=1001. Digging deeper, I see uid=1001 matches up with host file permissions, so it makes sense.

I encountered that as part of looking for pods that run as root in prep for running in a financial services environment.

- Can you confirm the "node-ca" pod should be privileged?

- Would you consider adding "runAsUser: 1001" to the securityContext rather than relying on the container image?  If nothing else, it might make this behavior clearer.

Version-Release number of selected component (if applicable):

$ oc version
Client Version: 4.5.0-202005291417-9933eb9
Server Version: 4.6.9
Kubernetes Version: v1.19.0+7070803

How reproducible:


Steps to Reproduce:

Actual results:

Expected results:

Additional info:

Comment 2 Wenjing Zheng 2021-02-04 03:12:26 UTC
Verified on  4.7.0-0.nightly-2021-02-02-164630:
$ oc get ds node-ca -o yaml | grep runAs
                  f:runAsGroup: {}
                  f:runAsUser: {}
          runAsGroup: 0
          runAsUser: 1001
$ oc rsh node-ca-2v56t
sh-4.4$ id  
uid=1001(1001) gid=0(root) groups=0(root)

Comment 3 John McMeeking 2021-02-04 04:53:53 UTC
Looks good to me :-)  Thanks!

Are there any plans to back-port this?

Comment 8 errata-xmlrpc 2021-02-24 15:51:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.