1931838 – Capabilities are not being dropped when using keyword "all" in the container's securityContext

Bug 1931838 - Capabilities are not being dropped when using keyword "all" in the container's securityContext

Summary: Capabilities are not being dropped when using keyword "all" in the container'...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Node
Sub Component:
Version:	4.6
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Qi Wang
QA Contact:	MinLi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-23 11:13 UTC by Mario Vázquez
Modified:	2021-03-15 19:50 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-15 19:50:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Mario Vázquez 2021-02-23 11:13:33 UTC

Description of problem:

When trying to drop all capabilities in a container by using the keyword "all" it doesn't work.

More information in the reproducer provided below.

Version-Release number of selected component (if applicable):
4.6.12

How reproducible:
Always

Steps to Reproduce:
1. https://gist.github.com/mvazquezc/6dcd8d27a83d7495b0df173e1cf7fdc0

Actual results:

When using "all/ALL" keyword caps are not being dropped. Neither if you set drop "all" at container level (like in the reproducer) or at SCC level:

requiredDropCapabilities:
- ALL

The drop "ALL" at SCC level is documented here (it mentions docker though):

https://docs.openshift.com/container-platform/4.6/authentication/managing-security-context-constraints.html

Expected results:

"all/ALL" keyword can be used for dropping caps on pods at the container level and at the SCC level.


Additional info:

Comment 1 Qi Wang 2021-03-03 21:50:40 UTC

This has been discussed in the crio team. Yt's not a crio bug. The current result is expected, crio does not drop any capabilities. The document of SCC maybe misleading in useing ALL.

Comment 2 Mario Vázquez 2021-03-04 08:44:06 UTC

(In reply to Qi Wang from comment #1)
> This has been discussed in the crio team. Yt's not a crio bug. The current
> result is expected, crio does not drop any capabilities. The document of SCC
> maybe misleading in useing ALL.

It seems this was supported when docker was the runtime used by OpenShift 3. Would it be possible to get it implemented in CRIO? - If you think it's possible I'll open an RFE.

Comment 3 Qi Wang 2021-03-08 19:32:05 UTC

> It seems this was supported when docker was the runtime used by OpenShift 3.
> Would it be possible to get it implemented in CRIO? - If you think it's
> possible I'll open an RFE.

Thanks. I don't think it's planned to be implemented. The current result is expected and stays consistent with containerd.

Comment 5 Qi Wang 2021-03-10 15:38:47 UTC

Ref: openshift-docs PR will update the SCC instructions
https://github.com/openshift/openshift-docs/pull/30197

Comment 6 Andrea Hoffer 2021-03-11 17:31:17 UTC

The above PR has been merged and doc updates are live: https://docs.openshift.com/container-platform/4.6/authentication/managing-security-context-constraints.html#security-context-constraints-creating_configuring-internal-oauth

Note You need to log in before you can comment on or make changes to this bug.