Bug 1931838
Summary: | Capabilities are not being dropped when using keyword "all" in the container's securityContext | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Mario Vázquez <mavazque> |
Component: | Node | Assignee: | Qi Wang <qiwan> |
Node sub component: | CRI-O | QA Contact: | MinLi <minmli> |
Status: | CLOSED NOTABUG | Docs Contact: | |
Severity: | medium | ||
Priority: | medium | CC: | ahoffer, aos-bugs, djuran, dwalsh, jokerman, nagrawal, rphillips, tsweeney |
Version: | 4.6 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-15 19:50:30 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mario Vázquez
2021-02-23 11:13:33 UTC
This has been discussed in the crio team. Yt's not a crio bug. The current result is expected, crio does not drop any capabilities. The document of SCC maybe misleading in useing ALL. (In reply to Qi Wang from comment #1) > This has been discussed in the crio team. Yt's not a crio bug. The current > result is expected, crio does not drop any capabilities. The document of SCC > maybe misleading in useing ALL. It seems this was supported when docker was the runtime used by OpenShift 3. Would it be possible to get it implemented in CRIO? - If you think it's possible I'll open an RFE.
> It seems this was supported when docker was the runtime used by OpenShift 3.
> Would it be possible to get it implemented in CRIO? - If you think it's
> possible I'll open an RFE.
Thanks. I don't think it's planned to be implemented. The current result is expected and stays consistent with containerd.
Ref: openshift-docs PR will update the SCC instructions https://github.com/openshift/openshift-docs/pull/30197 The above PR has been merged and doc updates are live: https://docs.openshift.com/container-platform/4.6/authentication/managing-security-context-constraints.html#security-context-constraints-creating_configuring-internal-oauth |