1830496 – PTP operator is in openshift.io/run-level 1 and bypassing SCC

Bug 1830496 - PTP operator is in openshift.io/run-level 1 and bypassing SCC

Summary: PTP operator is in openshift.io/run-level 1 and bypassing SCC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.5.0
Assignee:	Federico Paolinelli
QA Contact:	huirwang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1805488 1966621
TreeView+	depends on / blocked

Reported:	2020-05-02 08:44 UTC by Mark McLoughlin
Modified:	2021-06-01 14:15 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-13 17:34:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift ptp-operator pull 55	0	None	closed	Bug 1830496: Remove runlevel from the operator's namespace and use SCC	2020-12-08 22:00:19 UTC
Red Hat Product Errata	RHBA-2020:2409	0	None	None	None	2020-07-13 17:34:45 UTC

Description Mark McLoughlin 2020-05-02 08:44:00 UTC

The openshift-ptp namespace is labelled with openshift.io/run-level: "1"

From bug #1805488:

Run-level 1 bypasses SCC, but many components have no need for that (are less secure as a result).  Every component that does not need to be up before SCC starts should be in either the anyuid or restricted SCC profile so they get a stable SELinux label.

Because these components are running without the appropriate restrictions, the security profile of these core components is weaker than it should be.

All platform components that can run without a run level MUST do so, and use anyuid or restricted unless they can make a case for host network or privileged. Those components should be granted access to the protected SCCs.

Each component listed here must be reviewed to determine whether it must be in run-level 1 or not, and if not, the label should be removed and appropriate SCC bindings created.


If the PTP operator has a genuine need to run at this level, it would at least be helpful to briefly document the reason for that as a comment above the label.

Comment 1 Federico Paolinelli 2020-05-08 16:21:35 UTC

Opened https://github.com/openshift/ptp-operator/pull/55

Comment 5 errata-xmlrpc 2020-07-13 17:34:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409

Note You need to log in before you can comment on or make changes to this bug.