Description of problem: When trying to drop all capabilities in a container by using the keyword "all" it doesn't work. More information in the reproducer provided below. Version-Release number of selected component (if applicable): 4.6.12 How reproducible: Always Steps to Reproduce: 1. https://gist.github.com/mvazquezc/6dcd8d27a83d7495b0df173e1cf7fdc0 Actual results: When using "all/ALL" keyword caps are not being dropped. Neither if you set drop "all" at container level (like in the reproducer) or at SCC level: requiredDropCapabilities: - ALL The drop "ALL" at SCC level is documented here (it mentions docker though): https://docs.openshift.com/container-platform/4.6/authentication/managing-security-context-constraints.html Expected results: "all/ALL" keyword can be used for dropping caps on pods at the container level and at the SCC level. Additional info:
This has been discussed in the crio team. Yt's not a crio bug. The current result is expected, crio does not drop any capabilities. The document of SCC maybe misleading in useing ALL.
(In reply to Qi Wang from comment #1) > This has been discussed in the crio team. Yt's not a crio bug. The current > result is expected, crio does not drop any capabilities. The document of SCC > maybe misleading in useing ALL. It seems this was supported when docker was the runtime used by OpenShift 3. Would it be possible to get it implemented in CRIO? - If you think it's possible I'll open an RFE.
> It seems this was supported when docker was the runtime used by OpenShift 3. > Would it be possible to get it implemented in CRIO? - If you think it's > possible I'll open an RFE. Thanks. I don't think it's planned to be implemented. The current result is expected and stays consistent with containerd.
Ref: openshift-docs PR will update the SCC instructions https://github.com/openshift/openshift-docs/pull/30197
The above PR has been merged and doc updates are live: https://docs.openshift.com/container-platform/4.6/authentication/managing-security-context-constraints.html#security-context-constraints-creating_configuring-internal-oauth