Description of problem:
This is a regression of bug 1255022. Remote shell and exec is allowed on privileged pods
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Edit scc to allow privileged pods
2. oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/storage/nfs/nfs-server.yaml
3. oc rsh nfs-server
4. oc exec nfs-server ls
Step 3 and 4 are both successful
Step 3 and 4 should fail because the container is prvileged
This was changed in https://github.com/openshift/origin/pull/4755 to allow someone who has permissions to create the pod to exec into it. If, by SCC permissions, you could create the pod you're trying to reach you are allowed to use it.
This has replaced the blanket denial: https://github.com/openshift/origin/pull/4755/files#diff-05523003a782d7b3b61c2608a29dfb39
Thank you. So this is working correctly as we expect. I was able to exec/rsh to a pod I created.
This fix is available in OpenShift Enterprise 3.1.