Bug 1914407 - Its not clear that node-ca is running as non-root
Summary: Its not clear that node-ca is running as non-root
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 4.6
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.7.0
Assignee: Ricardo Maraschini
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-08 18:26 UTC by John McMeeking
Modified: 2021-02-24 15:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Absence of explicit user id and group id on node-ca DaemonSet. Consequence: Confuse interpretation of what is the user and group in use in the node-ca pods. Fix: Explicitly provide node-ca DaemonSet with runAsUser and runAsGroup configuration to make things clear. Result: Better, easier and cleaner understanding by simply inspecting node-ca's DaemonSet yaml file.
Clone Of:
Environment:
Last Closed: 2021-02-24 15:51:26 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-image-registry-operator pull 658 0 None closed Bug 1914407: Explicitly set node-ca runAsUser and runAsGroup 2021-02-04 02:39:33 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:51:37 UTC

Description John McMeeking 2021-01-08 18:26:04 UTC
Description of problem:

The image registry "node-ca" securityContext says the pod is privileged and does not specify a user. I (perhaps naively) expected to see the container running as root, while it actually runs as uid=1001. Digging deeper, I see uid=1001 matches up with host file permissions, so it makes sense.

I encountered that as part of looking for pods that run as root in prep for running in a financial services environment.

- Can you confirm the "node-ca" pod should be privileged?

- Would you consider adding "runAsUser: 1001" to the securityContext rather than relying on the container image?  If nothing else, it might make this behavior clearer.


Version-Release number of selected component (if applicable):

$ oc version
Client Version: 4.5.0-202005291417-9933eb9
Server Version: 4.6.9
Kubernetes Version: v1.19.0+7070803


How reproducible:

Always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Wenjing Zheng 2021-02-04 03:12:26 UTC
Verified on  4.7.0-0.nightly-2021-02-02-164630:
$ oc get ds node-ca -o yaml | grep runAs
                  f:runAsGroup: {}
                  f:runAsUser: {}
          runAsGroup: 0
          runAsUser: 1001
$ oc rsh node-ca-2v56t
sh-4.4$ id  
uid=1001(1001) gid=0(root) groups=0(root)

Comment 3 John McMeeking 2021-02-04 04:53:53 UTC
Looks good to me :-)  Thanks!

Are there any plans to back-port this?

Comment 8 errata-xmlrpc 2021-02-24 15:51:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.