Bug 1914446
| Summary: | openshift-service-ca-operator and openshift-service-ca pods run as root | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | John McMeeking <jmcmeek> |
| Component: | service-ca | Assignee: | Standa Laznicka <slaznick> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.6 | CC: | aos-bugs, kunsingh, mfojtik, thnguyen |
| Target Milestone: | --- | ||
| Target Release: | 4.8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
Feature:
Run service-ca-operator pods as a non-root user.
Reason:
Some view running a pod as the root user as a potential threat, even though there are other security mechanisms that still apply even for these
Result:
The service-ca-operator now runs as uid/gid 1001/1001 user.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-27 22:36:03 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1950337 | ||
This is very likely caused by https://bugzilla.redhat.com/show_bug.cgi?id=1806917 and https://bugzilla.redhat.com/show_bug.cgi?id=1806915. You can see the explanation about why this was in place in a comment in the latter BZ, specifically: https://bugzilla.redhat.com/show_bug.cgi?id=1806915#c1 - it was to prevent the circular component dependency. This measure is no longer needed and, as you can see in the above BZs, it is fixed in the next release (4.7). However, for the `openshift-service-ca-operator` pod and namespace, a manual intervention is necessary due to https://bugzilla.redhat.com/show_bug.cgi?id=1806917#c19. You would need to remove the offending label yourself and restart the namespace's pods. If you would like to avoid these manual steps, you can move this BZ to "Cluster Version Operator" component. Please let me know if that information is sufficient. Actually, I can see that even in the latest devel snapshot, service-ca operator is still running as root, let me investigate. So I looked into this, even with the new fixes, the pod will continue running as root. What exactly is the issue with the container running as root? It's still contained away from the rest of the system, and runs with limited capabilities. We're working with customers (like banks and governments) that have requirements that containers do not run as root. Some things clearly have to run as root but the smaller that list the better. *** Bug 1929801 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438 |
Description of problem: We see these pods running as root in our 4.6 cluster. We don't see a reason why they need to do that. - openshift-service-ca-operator/service-ca-operator - openshift-service-ca/service-ca To run in a financial services environment we need to explain why these are running as root or (preferably) change them if root is not required. Can you provide an explanation or change these as appropriate? Version-Release number of selected component (if applicable): $ oc version Client Version: 4.5.0-202005291417-9933eb9 Server Version: 4.6.9 Kubernetes Version: v1.19.0+7070803 How reproducible: Always Steps to Reproduce: 1. oc exec -n NS POD -- ps -e -o pid,uid,cmd 2. 3. Actual results: + oc exec -n openshift-service-ca-operator service-ca-operator-5fdbb8bf4-fb4vs -- ps -e -o pid,uid,cmd PID UID CMD 1 0 service-ca-operator operator --config=/var/run/configmaps/config/operator-config.yaml -v=4 + oc exec -n openshift-service-ca service-ca-7bcdd8f55b-n48bm -- ps -e -o pid,uid,cmd PID UID CMD 1 0 service-ca-operator controller -v=2 Expected results: UID is not 0 Additional info: