Description of problem (please be detailed as possible and provide log snippests): ======================================================================== Any OCS pod running with root privileges is an issue for ODF Managed services offering and with the fix for Bug 1976840, toolbox pod created as part of ocs-operator runs without root privileges. But when we initiate the Must-gather collection, then as part of collection, 2 must-gather pods are created, one in ocp namespace and one helper pod(similar to toolbox pod) for collecting ceph information. Both these pods are seen to be running with root privileges. Raising this separate bug based on discussions here: -------------------------------------------------------- Bug 1976840#c19 Chat - https://chat.google.com/room/AAAASHA9vWs/aJzAHKpWAg4 Command - oc adm must-gather --image=quay.io/rhceph-dev/ocs-must-gather:latest-4.7 >> PODS ========== openshift-must-gather-4kfjf must-gather-2txtb 2/2 Running 0 100s -> OCP openshift-storage must-gather-2txtb-helper 1/1 Running 0 95s >> Must-gather helper pod ============================ $ oc rsh -n openshift-storage must-gather-2txtb-helper whoami root $ oc get pod must-gather-2txtb-helper -n openshift-storage -o yaml securityContext: privileged: true >> OCP must-gather pod running on master node ================================================ $ oc get pod -n openshift-must-gather-p7shc must-gather-rppgs -o yaml ... securityContext: {} $ oc rsh -n openshift-must-gather-4kfjf must-gather-2txtb whoami Defaulted container "gather" out of: gather, copy root --> root privileges Version of all relevant components (if applicable): ======================================================= All OCS versions OCP = 4.7.0-0.nightly-2021-08-06-180629 OCS = ocs-operator.v4.7.3-243.ci Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? ========================================================================== We need to consider the impact on Security services for Managed Services team. Is there any workaround available to the best of your knowledge? ==================================================================== No. must-gather uses a pre-defined toolbox yaml for helper pod which did not take the changes introduced via Bug 1976840 Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? ====================================== 3 Can this issue reproducible? ================================= Always Can this issue reproduce from the UI? ========================================== N/A If this is a regression, please provide more details to justify this: ======================================================================= No Steps to Reproduce: ========================== 1. Install OCS any version, say 4.7.3 or 4.8 2. Run must-gather If 4.7: oc adm must-gather --image=quay.io/rhceph-dev/ocs-must-gather:latest-4.7 3. RSH to the must-gather pods and check the user with "whoami" e.g $ oc rsh -n openshift-storage must-gather-2txtb-helper whoami $ oc rsh -n openshift-must-gather-p7shc must-gather-rppgs whoami Actual results: ==================== The must-gather helper pod which gets created in the openshift-storage namespace and the MG pod created in a custom openshift namespace both run with root privileges. Expected results: ===================== For Managed Services usecase, the pods should not run with root privileges. Additional info: ====================
Yeati, what is the latest status on this BZ?
The helper pod privileged is changed, but looking into how can we change the privilege for the must-gather pod. Will make a PR for the same by the end of the week.
Can't fix it before 4.9 dev freeze and not a blocker. Can be backported if required.
Changed the root privilege for helper pod from root to user. ``` [yatipadia@192 ocs-operator]$ oc rsh -n openshift-storage must-gather-rmrm7-helper whoami 1000 ``` Root privilege for the OCP must-gather pod running on master node is not the part of OCS-must-gather. Hence, I would suggest to open a seperate bug under OCP. ``` [yatipadia@192 ocs-operator]$ oc get ns | grep must-gather openshift-must-gather-qpb5r Active 46s [yatipadia@192 ocs-operator]$ oc get pods -n openshift-must-gather-qpb5r NAME READY STATUS RESTARTS AGE must-gather-rmrm7 2/2 Running 0 56s [yatipadia@192 ocs-operator]$ oc rsh -n openshift-must-gather-qpb5r must-gather-rmrm7 whoami Defaulted container "gather" out of: gather, copy root ``` Raised a PR for the same: https://github.com/red-hat-storage/ocs-operator/pull/1397
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.10.0 enhancement, security & bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:1372