1568292 – [3.5]Failed to prevent s2i builder images from running as root

Bug 1568292 - [3.5]Failed to prevent s2i builder images from running as root

Summary: [3.5]Failed to prevent s2i builder images from running as root

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Build
Sub Component:
Version:	3.5.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.5.z
Assignee:	Adam Kaplan
QA Contact:	Dongbo Yan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-17 07:28 UTC by Dongbo Yan
Modified:	2018-12-03 17:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: the pod admission controller returned false positives that impacted logic used by the OpenShift build controller Consequence: source-to-image (s2i) build containers were allowed to run as the root user Fix: pod admission controller checks for s2i builds return correct results Result: s2i build containers are not allowed to run as the root user by default
Clone Of:
Environment:
Last Closed:	2018-12-03 17:35:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:3624	0	None	None	None	2018-12-03 17:35:24 UTC

Description Dongbo Yan 2018-04-17 07:28:52 UTC

Description of problem:
Failed to prevent s2i builder images from running as root

Version-Release number of selected component (if applicable):
openshift v3.5.5.31.67
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
Always

Steps to Reproduce:
1.Build image with Dockerfile set instruction "USER 0" in it
2.Use above built image to do s2i build
 $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/build/tc499515/test-buildconfig-user0.json
3.Check build status

Actual results:
Build is completed

Expected results:
Build is failed with error in log:
"must specify a user that is numeric and within the range of allowed users"

Additional info:

Comment 1 Wenjing Zheng 2018-04-23 13:30:02 UTC

Also can reproduce on release verson v3.5.5.31.66, so removing regression keyword.

Comment 2 Adam Kaplan 2018-05-10 16:17:07 UTC

Could not reproduce with default installation (origin 1.5 via oc cluster up).

These builds can be allowed if the cluster admin grants the `builder` service account an elevated security context constraint, such as `anyuid`. Can you please provide the security context constraints applied to the builder service account for these tests?

Comment 4 Adam Kaplan 2018-05-21 12:40:18 UTC

Related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1464356

Comment 5 Adam Kaplan 2018-05-22 15:49:36 UTC

Pull Request: https://github.com/openshift/ose/pull/1272

Comment 7 Dongbo Yan 2018-11-16 05:35:13 UTC

Verified
oc v3.5.5.31.80
kubernetes v1.5.2+43a9be4
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server 
openshift v3.5.5.31.80
kubernetes v1.5.2+43a9be4

# oc logs -f build/ruby-sample-build-user0-1
Cloning "https://github.com/openshift/ruby-hello-world.git" ...
	Commit:	7ccd3242c49c3868195ca9400a539fa611111096 (Merge pull request #71 from bparees/gemfile2)
	Author:	Ben Parees <bparees.github.com>
	Date:	Fri Feb 9 18:24:07 2018 -0500
error: build error: image "docker.io/aosqe/ruby-20-centos7:user0" must specify a user that is numeric and within the range of allowed users

Comment 9 errata-xmlrpc 2018-12-03 17:35:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3624

Note You need to log in before you can comment on or make changes to this bug.