1608814 – [CRI-O]Pod with invalid 'securityContext' field can create successfully in cri-o env

Bug 1608814 - [CRI-O]Pod with invalid 'securityContext' field can create successfully in cri-o env

Summary: [CRI-O]Pod with invalid 'securityContext' field can create successfully in cr...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	3.11.0
Assignee:	Lokesh Mandvekar
QA Contact:	scheng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-07-26 10:16 UTC by scheng
Modified:	2018-10-11 07:22 UTC (History)
CC List:	11 users (show)
Fixed In Version:	cri-o-1.11.2-1.rhaos3.11.git3eac3b2.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-11 07:22:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:2652	0	None	None	None	2018-10-11 07:22:40 UTC

Description scheng 2018-07-26 10:16:59 UTC

Description of problem:
Pod.yaml with invalid 'securityContext' field like `"securityContext": {"capabilities": {"add":["KILLtest"]}}` can create successfully in cri-o env.

Version-Release number of selected component (if applicable):
# openshift version 
openshift v3.11.0-0.9.0

# crio -v
crio version 1.11.1
commit: "96828874a5891219d5ae239f82bc5f6669454c4f-dirty"

How reproducible:
Always

Steps to Reproduce:
1.create a scc
allowedCapabilities:
- FSETID
- KILLtest
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
apiVersion: v1
groups:
- system:serviceaccounts:{YourProjectName}
kind: SecurityContextConstraints
metadata:
  labels:
    name: scc-cap
  name: scc-cap

2.create a pod 
pod.json 
{
  "kind": "Pod",
  "apiVersion":"v1",
  "metadata": {
        "name": "pod-add-chown",
        "labels": {
                "name": "pod-add-chown"
        }
  },
  "spec": {
      "containers": [{
        "name": "pod-add-chown",
        "image": "bmeng/hello-openshift",
        "securityContext": {
                "capabilities": {"add":["KILLtest"]}
        }
      }]
  }
}


Actual results:
no warning,pod and container can create successfully. 

Expected results:
When oc describe pod should show such as:
 Warning  Failed  Error: failed to start container "pod-add-chown": Error response from daemon: linux spec capabilities: Unknown capability to add: "CAP_KILLtest"

Additional info:

Comment 1 Antonio Murdaca 2018-07-26 15:02:36 UTC

Fix here https://github.com/kubernetes-incubator/cri-o/pull/1707

Comment 2 scheng 2018-08-13 10:38:27 UTC

hi, i see `crio version 1.11.1` has that https://github.com/kubernetes-incubator/cri-o/pull/1707 commit,but this bug still occurs in `crio version 1.11.1`,thanks.

Comment 3 scheng 2018-08-13 10:38:47 UTC

hi, i see `crio version 1.11.1` has that https://github.com/kubernetes-incubator/cri-o/pull/1707 commit,but this bug still occurs in `crio version 1.11.1`,thanks.

Comment 4 Mrunal Patel 2018-08-17 23:31:42 UTC

The fix will be in cri-o 1.11.2. We missed that commit in 1.11.1.

Comment 6 weiwei jiang 2018-08-27 06:26:47 UTC

Move back to modified since current still cri-o-1.11.1-2.rhaos3.11.git1759204.el7.x86_64

Comment 7 Lokesh Mandvekar 2018-08-27 19:04:41 UTC

Frantisek, please build a cri-o 1.11.2

Comment 8 Lokesh Mandvekar 2018-08-28 19:57:20 UTC

so i got this built: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=18076851

PTAL

Comment 11 Antonio Murdaca 2018-08-29 12:28:45 UTC

it works with 1.11.2 on my system. I get:

```
NAME      READY     STATUS                 RESTARTS   AGE
capbug1   0/1       CreateContainerError   0          6m
capbug2   0/1       CreateContainerError   0          3m
capbug3   0/1       CreateContainerError   0          3m
capbug4   0/1       CreateContainerError   0          11s
```

```
Events:
  Type     Reason          Age              From                Message
  ----     ------          ----             ----                -------
  Normal   Scheduled       8s               default-scheduler   Successfully assigned default/capbug4 to 127.0.0.1
  Normal   SandboxChanged  7s               kubelet, 127.0.0.1  Pod sandbox changed, it will be killed and re-created.
  Normal   Pulled          5s (x4 over 8s)  kubelet, 127.0.0.1  Container image "gcr.io/google-samples/node-hello:1.0" already present on machine
  Warning  Failed          5s (x4 over 8s)  kubelet, 127.0.0.1  Error: unknown capability "CAP_KILLTEST" to add
```

Comment 12 Antonio Murdaca 2018-08-29 12:30:11 UTC

```
k get pod capbug1 -o yaml | grep -i -n3 capabilities
14-    name: capbug
15-    resources: {}
16-    securityContext:
17:      capabilities:
18-        add:
19-        - KILLtest
20-        - SYS_TIME
```

Comment 13 Antonio Murdaca 2018-08-29 18:45:34 UTC

openshift + crio fails as well correctly:

cri-o-1.11.2-1.rhaos3.11.git3eac3b2.el7.x86_64


```
Events:
  Type     Reason          Age              From                           Message
  ----     ------          ----             ----                           -------
  Normal   Scheduled       38s              default-scheduler              Successfully assigned default/capbug4 to runcomtest-ig-n-7w5w
  Normal   Pulling         36s              kubelet, runcomtest-ig-n-7w5w  pulling image "gcr.io/google-samples/node-hello:1.0"
  Normal   Pulled          7s               kubelet, runcomtest-ig-n-7w5w  Successfully pulled image "gcr.io/google-samples/node-hello:1.0"
  Normal   SandboxChanged  3s (x2 over 6s)  kubelet, runcomtest-ig-n-7w5w  Pod sandbox changed, it will be killed and re-created.
  Warning  Failed          1s (x3 over 7s)  kubelet, runcomtest-ig-n-7w5w  Error: unknown capability "CAP_KILLTEST" to add
  Normal   Pulled          1s (x2 over 4s)  kubelet, runcomtest-ig-n-7w5w  Container image "gcr.io/google-samples/node-hello:1.0" already present on machine


20:42:24 [release/cluster/test-deploy] ‹master*› oc get pods
NAME                       READY     STATUS                 RESTARTS   AGE
capbug4                    0/1       CreateContainerError   0          53s
docker-registry-1-dhggb    1/1       Running                0          6m
registry-console-1-9t9hs   1/1       Running                0          6m
```

please re-test it as I cannot reproduce with the very same package you're using

Comment 16 errata-xmlrpc 2018-10-11 07:22:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2652

Note You need to log in before you can comment on or make changes to this bug.