Bug 1326193 - [RFE] allow finer-grained granting of custom build strategy
Summary: [RFE] allow finer-grained granting of custom build strategy
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Ben Parees
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-12 06:37 UTC by Miheer Salunke
Modified: 2023-09-14 23:59 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-12 13:54:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Miheer Salunke 2016-04-12 06:37:36 UTC 
1. Proposed title of this feature request  

  [RFE] Custom strategy creates Vulnerability

3. What is the nature and description of the request?  

As Per OSE docs and in practice usability of Custom strategy creates possible vulnerability:

So user can create custom builder image and get access to underlying nodes resources via Docker socket. 
From: https://docs.openshift.com/enterprise/3.0/admin_guide/securing_builds.html#overview
Builds in OpenShift are run in privileged containers that have access to the Docker daemon socket. As a security measure, it is recommended to limit who can run builds and the strategy that is used for those builds. Custom builds are inherently less safe than Source builds, given that they can execute any code in the build with potentially full access to the node’s Docker socket. Docker build permission should also be granted with caution as a vulnerability in the Docker build logic could result in a privileges being granted on the host node.

We would require additional functionality to eliminate this risk: 
Solution would be to enable functionality to have "Approved Builder Image list for Custom Strategy".
We should be able to configure Particular images to be used with custom strategy.  So user will not be able to pass their own images for custom strategy. 

Second option would be ability to add new build strategies, based on custom strategy.


Recreate:
o create custom builder image with sleep 9999 as main command (CMD or RUN)
o create deployment and build config with:
"spec": {
			    "serviceAccount": "builder",
				"strategy": {
					"type": "Custom",
					"customStrategy": {
						"forcePull": true,
						"exposeDockerSocket": true,


o create app and rsh to the pod:
and docker ps exposes all containers running on node. 

standard option would be to disable custom strategy this via policy but we need it to implement custom workflows (like build from nexus, or promotion client). we would require ability to create list of approved images for custom strategies or ability to create our own strategies.



7. Is there already an existing RFE upstream or in Red Hat Bugzilla?  
No  

    
10. List any affected packages or components.  
Openshift Enterprise 3.2 , builder image
Comment 3 Eric Rich 2018-03-12 13:54:36 UTC 
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.
Comment 4 Red Hat Bugzilla 2023-09-14 23:59:21 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.