1805488 – Some core components are in openshift.io/run-level 1 and are bypassing SCC, but should not be

Bug 1805488 - Some core components are in openshift.io/run-level 1 and are bypassing SCC, but should not be

Summary: Some core components are in openshift.io/run-level 1 and are bypassing SCC, b...

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Security
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.7.z
Assignee:	Stefan Schimanski
QA Contact:	xiyuan
Docs Contact:
URL:
Whiteboard:
Depends On:	1805572 1805917 1806438 1806439 1806892 1806893 1806902 1806903 1806904 1806905 1806906 1806907 1806908 1806909 1806913 1806915 1806917 1806918 1806919 1807490 1807659 1807762 1830496 1830497
Blocks:	1966621
TreeView+	depends on / blocked

Reported:	2020-02-20 21:27 UTC by Clayton Coleman
Modified:	2023-09-15 01:29 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1805570 1806438 1806892 1806893 1806902 1806903 1806904 1806905 1806906 1806907 1806908 1806909 1806913 1806915 1806917 1806918 1806919 1966621 (view as bug list)
Environment:
Last Closed:	2022-08-30 17:18:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Clayton Coleman 2020-02-20 21:27:33 UTC

Run-level 1 bypasses SCC, but many components have no need for that (are less secure as a result).  Every component that does not need to be up before SCC starts should be in either the anyuid or restricted SCC profile so they get a stable SELinux label.

Because these components are running without the appropriate restrictions, the security profile of these core components is weaker than it should be.

All platform components that can run without a run level MUST do so, and use anyuid or restricted unless they can make a case for host network or privileged. Those components should be granted access to the protected SCCs.

Each component listed here must be reviewed to determine whether it must be in run-level 1 or not, and if not, the label should be removed and appropriate SCC bindings created.

NAME                                      STATUS   AGE
openshift-apiserver                       Active   36m
openshift-cloud-credential-operator       Active   43m
openshift-cluster-version                 Active   43m
openshift-controller-manager              Active   43m
openshift-insights                        Active   43m
openshift-kni-infra                       Active   43m
openshift-kube-storage-version-migrator   Active   36m
openshift-machine-api                     Active   43m
openshift-machine-config-operator         Active   43m
openshift-openstack-infra                 Active   43m
openshift-operator-lifecycle-manager      Active   43m
openshift-operators                       Active   43m
openshift-ovirt-infra                     Active   43m
openshift-service-ca                      Active   36m
openshift-service-ca-operator             Active   43m
openshift-support                         Active   43m
openshift-vsphere-infra                   Active   43m

Comment 1 Clayton Coleman 2020-02-20 21:30:10 UTC

Insights and support handled in https://github.com/openshift/insights-operator/pull/78

Comment 2 Clayton Coleman 2020-02-20 21:31:57 UTC

Components that may already have child pods in the namespace should grant the "anyuid" SCC to all pods in their namespace (group "system:serviceaccount:NAMESPACE") if there is a chance user workloads or arbitrary pods have already landed.

Comment 14 Sudha Ponnaganti 2020-03-05 00:14:07 UTC


*** This bug has been marked as a duplicate of bug 1807436 ***

Comment 17 Stefan Schimanski 2020-03-12 15:32:17 UTC

We made quite a bit of progress on the topic. But there are core components like service-ca and openshift-apiserver which need serious changes in the architecture to fix. Hence, we move this umbrella BZ to 4.5 for follow-up work.

Comment 18 Stephen Cuppett 2020-06-11 12:31:00 UTC

This isn't a showstopper for 4.5.0 GA at this point. Setting target release to 4.6.0 (the current development branch). For fixes (if any) requested/required on prior versions, clones will be created targeting those z-stream releases as appropriate.

Comment 22 Mark Cooper 2021-06-21 04:45:00 UTC

Infra namespaces fix: 

 - openshift-openstack-infra
 - openshift-kni-infra
 - openshift-ovirt-infra
 - openshift-vsphere-infra

https://bugzilla.redhat.com/show_bug.cgi?id=1973525
https://github.com/openshift/machine-config-operator/pull/2627/files

Comment 23 Mark Cooper 2021-06-29 03:04:08 UTC

 - openshift-vertical-pod-autoscaler

https://bugzilla.redhat.com/show_bug.cgi?id=1974567 

 - openshift-kubevirt-infra

https://bugzilla.redhat.com/show_bug.cgi?id=1977129

Comment 24 Mark Cooper 2021-11-03 07:23:32 UTC

 - MCO 

https://bugzilla.redhat.com/show_bug.cgi?id=1978581

 - CVO there is this comment here: https://github.com/openshift/cluster-version-operator/pull/24 saying that it is required, but that was 2018, not sure if it still is.

Comment 25 Matt Catsimanes 2021-12-17 01:49:39 UTC

@sponnaga

Comment 26 Mark Cooper 2021-12-17 01:53:15 UTC

CVO 
 - https://github.com/openshift/cluster-version-operator/pull/623
 - https://bugzilla.redhat.com/show_bug.cgi?id=2020107

Comment 30 Yuval Kashtan 2022-02-23 20:23:28 UTC

I think we've fully removed `run-level: 1` from openshift now
and we can close this one :-)

Comment 35 Vikas Laad 2022-08-30 17:18:52 UTC

4.7 is EOL now, closing all the bugs.

Comment 36 Red Hat Bugzilla 2023-09-15 01:29:11 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days

Note You need to log in before you can comment on or make changes to this bug.