Bug 1966621 - assisted-installer namespace uses openshift.io/run-level and bypasses SCC, but should not be
Summary: assisted-installer namespace uses openshift.io/run-level and bypasses SCC, bu...
Alias: None
Product: Red Hat Advanced Cluster Management for Kubernetes
Classification: Red Hat
Component: Infrastructure Operator
Version: rhacm-2.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: rhacm-2.5
Assignee: Mat Kowalski
QA Contact:
Whiteboard: AI-Team-Platform
Depends On: 1805488 1805572 1805917 1806438 1806439 1806892 1806893 1806902 1806903 1806904 1806905 1806906 1806907 1806908 1806909 1806913 1806915 1806917 1806918 1806919 1807490 1807659 1807762 1830496 1830497
Blocks: 2010901
TreeView+ depends on / blocked
Reported: 2021-06-01 14:15 UTC by Mat Kowalski
Modified: 2022-10-03 20:18 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1805488
Last Closed: 2022-10-03 20:18:56 UTC
Target Upstream Version:
ming: rhacm-2.4+

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github open-cluster-management backlog issues 16862 0 None None None 2021-10-05 19:42:20 UTC
Github openshift assisted-installer pull 291 0 None Merged Bug 1966621: Do not use run-level label for assisted-installer namespace 2021-10-06 07:24:56 UTC
Red Hat Issue Tracker MGMTBUGSM-330 0 None None None 2022-04-23 04:42:25 UTC

Description Mat Kowalski 2021-06-01 14:15:29 UTC
+++ This bug was initially created as a clone of Bug #1805488 +++

Run-level 1 bypasses SCC, but many components have no need for that (are less secure as a result).  Every component that does not need to be up before SCC starts should be in either the anyuid or restricted SCC profile so they get a stable SELinux label.

Because these components are running without the appropriate restrictions, the security profile of these core components is weaker than it should be.

All platform components that can run without a run level MUST do so, and use anyuid or restricted unless they can make a case for host network or privileged. Those components should be granted access to the protected SCCs.


In our scenario `assisted-installer` namespace in a cluster created using Assisted Installer is labeled as `openshift.io/run-level: "0"`. This has been done for performance reasons so that the controller starts as soon as possible during the installation.

Comment 2 Mat Kowalski 2021-06-04 09:13:02 UTC
One path worth investigating is use of pod priority classes [1] in order to mark assisted-installer-controller. There are already a default classes defined and reusing one of those could give us the same result (scheduling-wise) as the current approach with run-level.

[1] https://docs.openshift.com/container-platform/4.7/nodes/pods/nodes-pods-priority.html#admin-guide-priority-preemption-priority-class_nodes-pods-priority

Note You need to log in before you can comment on or make changes to this bug.