Bug 1448816 - Should add 'projected' in scc/restricted volume policy by default
Summary: Should add 'projected' in scc/restricted volume policy by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.7.0
Assignee: Jeff Peeler
QA Contact: Zhang Cheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-08 09:26 UTC by Zhang Cheng
Modified: 2017-11-28 21:54 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Project volumes were not included in the security context contraints. Consequence: Pods could not be used with projected volumes. Fix: Add projected volumes to the correct SCCs. Result: Projected volumes may be used as expected.
Clone Of:
Environment:
Last Closed: 2017-11-28 21:54:33 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description Zhang Cheng 2017-05-08 09:26:29 UTC
Description of problem: cannot create a pod with projected volume plugin after 'oc login', pod can be created successful after add 'projected' in scc/restricted volume policy.


Version-Release number of selected component (if applicable):
oc v3.6.67
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://host-8-174-4.host.centralci.eng.rdu2.redhat.com:8443
openshift v3.6.67
kubernetes v1.6.1+5115d708d


How reproducible:
Always


Steps to Reproduce:
1. Login in by `oc login --server`, and create a new project

2. Create a secret and a configmap with below yaml:
$ cat secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: test-secret
data:
  data-1: dmFsdWUtMQ0K
  data-2: dmFsdWUtMg0KDQo=

$ cat configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: special-config
data:
  special.how: very
  special.type: charm

3. Try to create a pod with all-in-one volume
# cat allinone-normal-pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: allinone-normal
  labels:
    region: one
spec:
  containers:
  - name: allinone-normal
    image: redis
    resources:
      limits:
        cpu: "500m"
        memory: "256Mi"
    volumeMounts:
    - name: all-in-one
      mountPath: "/all-in-one"
      readOnly: true
  volumes:
  - name: all-in-one
    projected:
      sources:
      - secret:
          name: test-secret
          items:
            - key: data-1
              path: mysecret/my-username
            - key: data-2
              path: mysecret/my-passwd
      - downwardAPI:
          items:
            - path: mydapi/labels
              fieldRef:
                fieldPath: metadata.labels
            - path: mydapi/name
              fieldRef:
                fieldPath: metadata.name
            - path: mydapi/cpu_limit
              resourceFieldRef:
                containerName: allinone-normal
                resource: limits.cpu
                divisor: "1m"
      - configMap:
          name: special-config
          items:
            - key: special.how
              path: myconfigmap/shared-config
            - key: special.type
              path: myconfigmap/private-config

Actual results: 
3. Pod was created failed.
$ oc create -f allinone-permission-mode-pod.yaml
Error from server (Forbidden): error when creating "allinone-permission-mode-pod.yaml": pods "allinone-permission-mode" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.volumes[0]: Invalid value: "projected": projected volumes are not allowed to be used]


Expected results: 
3. Pod should be created successful, and project secrets, configmap and downward API into the same volume with normal keys and path


addition info: 
Pod can be created successful after add 'projected' in scc/restricted volume policy. 
# oc get scc | grep "^restricted"
restricted         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]

Comment 1 DeShuai Ma 2017-05-09 03:00:58 UTC
Double confirm in online dev-preview-int, same issue.
Change bug to online.

Comment 3 Paul Morie 2017-05-11 02:49:41 UTC
I cut a patch for this: https://github.com/openshift/origin/pull/14136

Comment 4 Jeff Peeler 2017-05-11 17:44:34 UTC
Latest here: https://github.com/openshift/origin/pull/14147

Comment 7 Zhang Cheng 2017-07-05 05:39:56 UTC
Verified and passed on openshift v3.6.133

Comment 12 errata-xmlrpc 2017-11-28 21:54:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188


Note You need to log in before you can comment on or make changes to this bug.