1966621 – assisted-installer namespace uses openshift.io/run-level and bypasses SCC, but should not be

Bug 1966621 - assisted-installer namespace uses openshift.io/run-level and bypasses SCC, but should not be

Summary: assisted-installer namespace uses openshift.io/run-level and bypasses SCC, bu...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Advanced Cluster Management for Kubernetes
Classification:	Red Hat
Component:	Infrastructure Operator
Sub Component:
Version:	rhacm-2.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	---
Target Release:	rhacm-2.5
Assignee:	Mat Kowalski
QA Contact:
Docs Contact:	Derek
URL:
Whiteboard:	AI-Team-Platform
Depends On:	1805488 1805572 1805917 1806438 1806439 1806892 1806893 1806902 1806903 1806904 1806905 1806906 1806907 1806908 1806909 1806913 1806915 1806917 1806918 1806919 1807490 1807659 1807762 1830496 1830497
Blocks:	2010901
TreeView+	depends on / blocked

Reported:	2021-06-01 14:15 UTC by Mat Kowalski
Modified:	2022-10-03 20:18 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1805488
Environment:
Last Closed:	2022-10-03 20:18:56 UTC
Target Upstream Version:
Embargoed:
Flags:	ming: rhacm-2.4+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	open-cluster-management backlog issues 16862	None	None	None	2021-10-05 19:42:20 UTC
Github	openshift assisted-installer pull 291	None	Merged	Bug 1966621: Do not use run-level label for assisted-installer namespace	2021-10-06 07:24:56 UTC
Red Hat Issue Tracker	MGMTBUGSM-330	None	None	None	2022-04-23 04:42:25 UTC

Description Mat Kowalski 2021-06-01 14:15:29 UTC

+++ This bug was initially created as a clone of Bug #1805488 +++

Run-level 1 bypasses SCC, but many components have no need for that (are less secure as a result).  Every component that does not need to be up before SCC starts should be in either the anyuid or restricted SCC profile so they get a stable SELinux label.

Because these components are running without the appropriate restrictions, the security profile of these core components is weaker than it should be.

All platform components that can run without a run level MUST do so, and use anyuid or restricted unless they can make a case for host network or privileged. Those components should be granted access to the protected SCCs.

+++

In our scenario `assisted-installer` namespace in a cluster created using Assisted Installer is labeled as `openshift.io/run-level: "0"`. This has been done for performance reasons so that the controller starts as soon as possible during the installation.

Comment 2 Mat Kowalski 2021-06-04 09:13:02 UTC

One path worth investigating is use of pod priority classes [1] in order to mark assisted-installer-controller. There are already a default classes defined and reusing one of those could give us the same result (scheduling-wise) as the current approach with run-level.

[1] https://docs.openshift.com/container-platform/4.7/nodes/pods/nodes-pods-priority.html#admin-guide-priority-preemption-priority-class_nodes-pods-priority

Note You need to log in before you can comment on or make changes to this bug.