Bug 1966621

Summary: assisted-installer namespace uses openshift.io/run-level and bypasses SCC, but should not be
Product: Red Hat Advanced Cluster Management for Kubernetes Reporter: Mat Kowalski <mko>
Component: Infrastructure OperatorAssignee: Mat Kowalski <mko>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact: Derek <dcadzow>
Priority: low    
Version: rhacm-2.4CC: asegurap, ccrum, eparis, fpercoco, jialiu, markmc, mfojtik, nstielau, scuppett, sfowler, sponnaga, sttts, trwest, wsun, xiyuan, xtian, xxia, yfirst, ykashtan
Target Milestone: ---Keywords: Reopened, Tracking, Triaged
Target Release: rhacm-2.5Flags: ming: rhacm-2.4+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AI-Team-Platform
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1805488 Environment:
Last Closed: 2022-10-03 20:18:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1805488, 1805572, 1805917, 1806438, 1806439, 1806892, 1806893, 1806902, 1806903, 1806904, 1806905, 1806906, 1806907, 1806908, 1806909, 1806913, 1806915, 1806917, 1806918, 1806919, 1807490, 1807659, 1807762, 1830496, 1830497    
Bug Blocks: 2010901    

Description Mat Kowalski 2021-06-01 14:15:29 UTC 
+++ This bug was initially created as a clone of Bug #1805488 +++

Run-level 1 bypasses SCC, but many components have no need for that (are less secure as a result).  Every component that does not need to be up before SCC starts should be in either the anyuid or restricted SCC profile so they get a stable SELinux label.

Because these components are running without the appropriate restrictions, the security profile of these core components is weaker than it should be.

All platform components that can run without a run level MUST do so, and use anyuid or restricted unless they can make a case for host network or privileged. Those components should be granted access to the protected SCCs.

+++

In our scenario `assisted-installer` namespace in a cluster created using Assisted Installer is labeled as `openshift.io/run-level: "0"`. This has been done for performance reasons so that the controller starts as soon as possible during the installation.
Comment 2 Mat Kowalski 2021-06-04 09:13:02 UTC 
One path worth investigating is use of pod priority classes [1] in order to mark assisted-installer-controller. There are already a default classes defined and reusing one of those could give us the same result (scheduling-wise) as the current approach with run-level.

[1] https://docs.openshift.com/container-platform/4.7/nodes/pods/nodes-pods-priority.html#admin-guide-priority-preemption-priority-class_nodes-pods-priority