Bug 1568292 - [3.5]Failed to prevent s2i builder images from running as root
Summary: [3.5]Failed to prevent s2i builder images from running as root
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 3.5.1
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.5.z
Assignee: Adam Kaplan
QA Contact: Dongbo Yan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-17 07:28 UTC by Dongbo Yan
Modified: 2018-12-03 17:35 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: the pod admission controller returned false positives that impacted logic used by the OpenShift build controller Consequence: source-to-image (s2i) build containers were allowed to run as the root user Fix: pod admission controller checks for s2i builds return correct results Result: s2i build containers are not allowed to run as the root user by default
Clone Of:
Environment:
Last Closed: 2018-12-03 17:35:00 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3624 0 None None None 2018-12-03 17:35:24 UTC

Description Dongbo Yan 2018-04-17 07:28:52 UTC
Description of problem:
Failed to prevent s2i builder images from running as root

Version-Release number of selected component (if applicable):
openshift v3.5.5.31.67
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
Always

Steps to Reproduce:
1.Build image with Dockerfile set instruction "USER 0" in it
2.Use above built image to do s2i build
 $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/build/tc499515/test-buildconfig-user0.json
3.Check build status

Actual results:
Build is completed

Expected results:
Build is failed with error in log:
"must specify a user that is numeric and within the range of allowed users"

Additional info:

Comment 1 Wenjing Zheng 2018-04-23 13:30:02 UTC
Also can reproduce on release verson v3.5.5.31.66, so removing regression keyword.

Comment 2 Adam Kaplan 2018-05-10 16:17:07 UTC
Could not reproduce with default installation (origin 1.5 via oc cluster up).

These builds can be allowed if the cluster admin grants the `builder` service account an elevated security context constraint, such as `anyuid`. Can you please provide the security context constraints applied to the builder service account for these tests?

Comment 4 Adam Kaplan 2018-05-21 12:40:18 UTC
Related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1464356

Comment 5 Adam Kaplan 2018-05-22 15:49:36 UTC
Pull Request: https://github.com/openshift/ose/pull/1272

Comment 7 Dongbo Yan 2018-11-16 05:35:13 UTC
Verified
oc v3.5.5.31.80
kubernetes v1.5.2+43a9be4
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server 
openshift v3.5.5.31.80
kubernetes v1.5.2+43a9be4

# oc logs -f build/ruby-sample-build-user0-1
Cloning "https://github.com/openshift/ruby-hello-world.git" ...
	Commit:	7ccd3242c49c3868195ca9400a539fa611111096 (Merge pull request #71 from bparees/gemfile2)
	Author:	Ben Parees <bparees@users.noreply.github.com>
	Date:	Fri Feb 9 18:24:07 2018 -0500
error: build error: image "docker.io/aosqe/ruby-20-centos7:user0" must specify a user that is numeric and within the range of allowed users

Comment 9 errata-xmlrpc 2018-12-03 17:35:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3624


Note You need to log in before you can comment on or make changes to this bug.