Bug 2041730

Summary: Linux capabilities configured in SCC has no effect for non root container user
Product: OpenShift Container Platform Reporter: pan.pur <pan.pur>
Component: UnknownAssignee: Praveen Kumar <prkumar>
Status: CLOSED DEFERRED QA Contact: Tomáš Sedmík <tsedmik>
Severity: high Docs Contact: Kevin Owen <kowen>
Priority: unspecified    
Version: 4.9CC: cfergeau, eparis, gbraad, kowen, tsedmik, veillard, wlewis
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-09 01:11:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description pan.pur@gmail.com 2022-01-18 07:51:43 UTC 
Description of problem:
Linux capabilities configured in SCC has no effect.

Version-Release number of selected component (if applicable):
-

How reproducible:
Always

Steps to Reproduce:
1. Create new project as deployment config using image from this simple dockerfile:
FROM debian:bullseye-slim

RUN apt-get update && \
    apt-get install -y libcap2-bin iputils-ping iproute2 && \
	useradd uv --shell /bin/bash --create-home && \
    setcap cap_net_admin+ep /bin/ip && \
    setcap cap_net_raw+ep /bin/ping

CMD ["/bin/ping","google.com"]

2. Create scc using following config:
allowedCapabilities: ["*"]
defaultAddCapabilities: ["NET_RAW", "NET_ADMIN"] 
requiredDropCapabilities: []

3. Apply the scc to service account
4. Apply the service account to deployment config
5. After pod is running, get inside container & execute: /bin/ip xfrm policy flush

Actual results:
RTNETLINK answers: Operation not permitted

Expected results:
ip command should work
Comment 2 Shiftzilla 2023-03-09 01:11:14 UTC 
OpenShift has moved to Jira for its defect tracking! This bug can now be found in the OCPBUGS project in Jira.

https://issues.redhat.com/browse/OCPBUGS-9078