Bug 2023342
| Summary: | SCC admission should take ephemeralContainers into account | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Standa Laznicka <slaznick> |
| Component: | apiserver-auth | Assignee: | Standa Laznicka <slaznick> |
| Status: | CLOSED ERRATA | QA Contact: | Yash Tripathi <ytripath> |
| Severity: | urgent | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.10 | CC: | aos-bugs, mfojtik, surbania, xxia |
| Target Milestone: | --- | ||
| Target Release: | 4.10.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-10 16:27:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Standa Laznicka
2021-11-15 13:13:40 UTC
Yash, this needs add a QE test case. After fixed / verified, pls help add one test case for it (ask me to peer review) (and attach the test case in this bug then remove the keyword being added). Thanks moving to post, we'll still have to bump this in o/k and wait for the rebase in order to be able to test it I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint. The fixed apiserver-library-go was merged to o/k master as a part of https://github.com/openshift/kubernetes/pull/1087 Verified on 4.10.0-0.nightly-2022-01-17-223655
Steps:
Create a project and try to create a privileged ephemeral container with a user that is not allowed to create privileged containers
1. oc new-project <project>
2. oc create -f <<EOF
apiVersion: v1
kind: Pod
metadata:
name: ephemeral-demo
spec:
containers:
- image: k8s.gcr.io/pause:3.1
imagePullPolicy: IfNotPresent
name: ephemeral-demo
resources: {}
securityContext:
capabilities:
drop:
- KILL
- MKNOD
- SETGID
- SETUID
runAsUser: 1000650000
ephemeralContainers:
- name: ephemeral-demo-debug
image: busybox
securityContext:
privileged: true
EOF
Expected:
Unable to create container with error
provider "nonroot": Forbidden: not usable by user or serviceaccount, spec.ephemeralContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed
Found:
Unable to create container with error
provider "nonroot": Forbidden: not usable by user or serviceaccount, spec.ephemeralContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056 |