Red Hat Bugzilla – Bug 1255536
OpenShift3: SecurityContextConstraints name reuse leading to privilege escalation
Last modified: 2016-11-08 11:28:41 EST
Aleksandar Kostadinov of Red Hat reports:
In OpenShift v3 you can create a SCC (SecurityContextConstraints) to allow
privileged docker containers in a project. If that project is later deleted the
SCC is left in the system and is not deleted. If another project is then created
with the same name as the original project the exisitng privileged SCC will be
applied to it.
This is operating as expected. It is up to the administrator to manage the SCC. They may choose to make entries in the SCC for users, groups, or service accounts that may or may not exist at the time. Cleaning unknown references would prevent that workflow.
Currently, administrators may also exercise more control over this by not allowing project administrators to delete projects.
Created a card to add an optional finalizer as an enhancement: https://trello.com/c/KicH8TSC/513-scc-optional-finalizer
CVE was rejected.