Bug 1914446 - openshift-service-ca-operator and openshift-service-ca pods run as root
Summary: openshift-service-ca-operator and openshift-service-ca pods run as root
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: service-ca
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Standa Laznicka
QA Contact:
: 1929801 (view as bug list)
Depends On:
Blocks: 1950337
TreeView+ depends on / blocked
Reported: 2021-01-08 21:17 UTC by John McMeeking
Modified: 2021-11-18 22:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: Run service-ca-operator pods as a non-root user. Reason: Some view running a pod as the root user as a potential threat, even though there are other security mechanisms that still apply even for these Result: The service-ca-operator now runs as uid/gid 1001/1001 user.
Clone Of:
Last Closed: 2021-07-27 22:36:03 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift service-ca-operator pull 136 0 None open Bug 1914446: manifests: run the operator's pod as non-root user 2021-03-01 08:02:14 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:36:27 UTC

Description John McMeeking 2021-01-08 21:17:06 UTC
Description of problem:

We see these pods running as root in our 4.6 cluster. We don't see a reason why they need to do that.

- openshift-service-ca-operator/service-ca-operator
- openshift-service-ca/service-ca

To run in a financial services environment we need to explain why these are running as root or (preferably) change them if root is not required.

Can you provide an explanation or change these as appropriate?

Version-Release number of selected component (if applicable):

$ oc version
Client Version: 4.5.0-202005291417-9933eb9
Server Version: 4.6.9
Kubernetes Version: v1.19.0+7070803

How reproducible:


Steps to Reproduce:
1. oc exec -n NS POD -- ps -e -o pid,uid,cmd

Actual results:

+ oc exec -n openshift-service-ca-operator service-ca-operator-5fdbb8bf4-fb4vs -- ps -e -o pid,uid,cmd
     1     0 service-ca-operator operator --config=/var/run/configmaps/config/operator-config.yaml -v=4

+ oc exec -n openshift-service-ca service-ca-7bcdd8f55b-n48bm -- ps -e -o pid,uid,cmd
     1     0 service-ca-operator controller -v=2

Expected results:

UID is not 0

Additional info:

Comment 1 Standa Laznicka 2021-01-12 08:36:00 UTC
This is very likely caused by https://bugzilla.redhat.com/show_bug.cgi?id=1806917 and https://bugzilla.redhat.com/show_bug.cgi?id=1806915. You can see the explanation about why this was in place in a comment in the latter BZ, specifically: https://bugzilla.redhat.com/show_bug.cgi?id=1806915#c1 - it was to prevent the circular component dependency.

This measure is no longer needed and, as you can see in the above BZs, it is fixed in the next release (4.7). However, for the `openshift-service-ca-operator` pod and namespace, a manual intervention is necessary due to https://bugzilla.redhat.com/show_bug.cgi?id=1806917#c19. You would need to remove the offending label yourself and restart the namespace's pods. If you would like to avoid these manual steps, you can move this BZ to "Cluster Version Operator" component.

Please let me know if that information is sufficient.

Comment 2 Standa Laznicka 2021-01-12 13:16:11 UTC
Actually, I can see that even in the latest devel snapshot, service-ca operator is still running as root, let me investigate.

Comment 4 Standa Laznicka 2021-02-03 12:12:39 UTC
So I looked into this, even with the new fixes, the pod will continue running as root. What exactly is the issue with the container running as root? It's still contained away from the rest of the system, and runs with limited capabilities.

Comment 5 John McMeeking 2021-02-03 21:47:01 UTC
We're working with customers (like banks and governments) that have requirements that containers do not run as root. Some things clearly have to run as root but the smaller that list the better.

Comment 9 scheng 2021-05-18 06:47:34 UTC
*** Bug 1929801 has been marked as a duplicate of this bug. ***

Comment 14 errata-xmlrpc 2021-07-27 22:36:03 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.