Bug 1991462

Summary: helper pod runs with root privileges during Must-gather collection(affects ODF Managed Services)
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Neha Berry <nberry>
Component: must-gatherAssignee: yati padia <ypadia>
Status: CLOSED ERRATA QA Contact: Elena Bondarenko <ebondare>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.7CC: madam, muagarwa, ocs-bugs, odf-bz-bot, omitrani, sabose, sisharma, sostapov, ypadia
Target Milestone: ---   
Target Release: ODF 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.10.0-132 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-13 18:49:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neha Berry 2021-08-09 08:15:18 UTC
Description of problem (please be detailed as possible and provide log
snippests):
========================================================================
Any OCS pod running with root privileges is an issue for ODF Managed services offering and with the fix for Bug 1976840, toolbox pod created as part of ocs-operator runs without root privileges.

But when we initiate the Must-gather collection, then as part of collection, 2 must-gather pods are created, one in ocp namespace and one helper pod(similar to toolbox pod) for collecting ceph information. Both these pods are seen to be running with root privileges.


Raising this separate bug based on discussions here:
--------------------------------------------------------

Bug 1976840#c19
Chat - https://chat.google.com/room/AAAASHA9vWs/aJzAHKpWAg4

Command  - oc adm must-gather --image=quay.io/rhceph-dev/ocs-must-gather:latest-4.7


>> PODS
==========
openshift-must-gather-4kfjf                        must-gather-2txtb                         2/2     Running     0          100s -> OCP
openshift-storage                                  must-gather-2txtb-helper                  1/1     Running     0          95s

>> Must-gather helper pod
============================
$ oc rsh -n openshift-storage must-gather-2txtb-helper whoami
root

$ oc get pod must-gather-2txtb-helper -n openshift-storage -o yaml
    securityContext:
      privileged: true

>> OCP must-gather pod running on master node
================================================
 $ oc get pod -n openshift-must-gather-p7shc  must-gather-rppgs  -o yaml

 ...
  securityContext: {}

 $ oc rsh -n openshift-must-gather-4kfjf must-gather-2txtb whoami
Defaulted container "gather" out of: gather, copy
root  --> root privileges




Version of all relevant components (if applicable):
=======================================================
All OCS versions

OCP = 4.7.0-0.nightly-2021-08-06-180629

OCS = ocs-operator.v4.7.3-243.ci

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?
==========================================================================
We need to consider the impact on Security services for Managed Services team.

Is there any workaround available to the best of your knowledge?
====================================================================
No. must-gather uses a pre-defined toolbox yaml for helper pod which did not take the changes introduced via Bug 1976840


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
======================================
3

Can this issue reproducible?
=================================
Always

Can this issue reproduce from the UI?
==========================================
N/A

If this is a regression, please provide more details to justify this:
=======================================================================
No

Steps to Reproduce:
==========================

1. Install OCS any version, say 4.7.3 or 4.8
2. Run must-gather

If 4.7: oc adm must-gather --image=quay.io/rhceph-dev/ocs-must-gather:latest-4.7

3. RSH to the must-gather pods and check the user with "whoami"
e.g $ oc rsh -n openshift-storage must-gather-2txtb-helper whoami 
    $  oc rsh -n openshift-must-gather-p7shc  must-gather-rppgs whoami


Actual results:
====================
 The must-gather helper pod which gets created in the openshift-storage namespace and the MG pod created in a custom openshift namespace both run with root privileges.

Expected results:
=====================
For Managed Services usecase, the pods should not run with root privileges.



Additional info:
====================

Comment 4 Mudit Agarwal 2021-10-06 13:11:38 UTC
Yeati, what is the latest status on this BZ?

Comment 5 yati padia 2021-10-06 13:27:57 UTC
The helper pod privileged is changed, but looking into how can we change the privilege for the must-gather pod. Will make a PR for the same by the end of the week.

Comment 6 Mudit Agarwal 2021-10-14 16:06:25 UTC
Can't fix it before 4.9 dev freeze and not a blocker.
Can be backported if required.

Comment 7 yati padia 2021-11-02 07:31:34 UTC
Changed the root privilege for helper pod from root to user.

```
[yatipadia@192 ocs-operator]$ oc rsh -n openshift-storage must-gather-rmrm7-helper whoami
1000
```

Root privilege for the OCP must-gather pod running on master node is not the part of OCS-must-gather. Hence, I would suggest to open a seperate bug under OCP.
```
[yatipadia@192 ocs-operator]$ oc get ns  | grep must-gather
openshift-must-gather-qpb5r                        Active   46s
[yatipadia@192 ocs-operator]$ oc get pods -n openshift-must-gather-qpb5r
NAME                READY   STATUS    RESTARTS   AGE
must-gather-rmrm7   2/2     Running   0          56s
[yatipadia@192 ocs-operator]$ oc rsh -n openshift-must-gather-qpb5r must-gather-rmrm7 whoami
Defaulted container "gather" out of: gather, copy
root
```

Raised a PR for the same: https://github.com/red-hat-storage/ocs-operator/pull/1397

Comment 16 errata-xmlrpc 2022-04-13 18:49:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:1372