Description of problem: Using a custom SCC drops DAC_OVERRIDE capability Version-Release number of selected component (if applicable): OCP v4.8.24 compliance-operator v0.1.48 How reproducible: Always Actual results: Platform-level scans (ocp4-cis-api-checks-pod and ocp4-moderate-api-checks-pod) fail to start due to a missing capability, which is required by scanner container. $ oc get po -n openshift-compliance ocp4-cis-api-checks-pod 1/2 CrashLoopBackOff 71 5h15m ocp4-moderate-api-checks-pod 1/2 CrashLoopBackOff 216 16h Expected results: Need a permanent solution that doesn't require additional SCCs, as such SCC introduces a potential security hole at cluster level. We need to know why exactly DAC_OVERRIDE is needed and if it is not please develop a fix. It is likely due to incorrect permissions set on the script that executes the scan. Creating a tailored SCC specifically for the scanner's SA works : Ref: https://gss--c.visualforce.com/apex/Case_View?id=5006R00001lAxgm&sfdc.override=1 Additional info: $ oc logs ocp4-cis-api-checks-pod -c scanner -n openshift-compliance standard_init_linux.go:219: exec user process caused: permission denied It is automatically assigned anyuid SCC, but the container executes the following path as its entrypoint: /scripts/openscap-container-entrypoint Here is the indication that a custom SCC is assigned: $ oc get -o yaml po/ocp4-cis-api-checks-pod -n openshift-compliance | grep scc openshift.io/scc: restricted-dropcaps $ oc get -o yaml po/ocp4-moderate-api-checks-pod -n openshift-compliance | grep scc openshift.io/scc: restricted-dropcaps dropped capabilities from the SCC: $ oc get -o yaml scc/restricted-dropcaps | grep -A 11 requiredDropCapabilities: requiredDropCapabilities: - KILL - MKNOD - SETUID - SETGID - CHOWN - DAC_OVERRIDE - FOWNER - FSETID - SETPCAP - NET_BIND_SERVICE runAsUser: If DAC_OVERRIDE is removed and rescan is triggered, both pods start and complete as expected.
As for right now, DAC_OVERRIDE is needed for our scanner to perform a platform scan, however, a fix patch PR is purposed: https://github.com/ComplianceAsCode/compliance-operator/pull/15. It will be available in the 4.11 release or our next Compliance Operator release.
verification pass with 4.11.0-0.nightly-2022-05-25-193227 and compliance-operator.v0.1.52 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-05-25-193227 True False 9h Cluster version is 4.11.0-0.nightly-2022-05-25-193227 $ oc get ip NAME CSV APPROVAL APPROVED install-88n4p compliance-operator.v0.1.52 Automatic true $ oc get csv NAME DISPLAY VERSION REPLACES PHASE compliance-operator.v0.1.52 Compliance Operator 0.1.52 Succeeded elasticsearch-operator.5.4.2 OpenShift Elasticsearch Operator 5.4.2 Succeeded oc $ oc apply -f -<<EOF apiVersion: compliance.openshift.io/v1alpha1 kind: ScanSettingBinding metadata: name: my-ssb-r profiles: - name: ocp4-moderate-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: ocp4-cis kind: Profile apiGroup: compliance.openshift.io/v1alpha1 - name: ocp4-cis-node kind: Profile apiGroup: compliance.openshift.io/v1alpha1 settingsRef: name: default kind: ScanSetting apiGroup: compliance.openshift.io/v1alpha1 EOF scansettingbinding.compliance.openshift.io/my-ssb-r created $ oc get suite -w NAME PHASE RESULT my-ssb-r AGGREGATING NOT-AVAILABLE my-ssb-r AGGREGATING NOT-AVAILABLE my-ssb-r DONE NON-COMPLIANT my-ssb-r DONE NON-COMPLIANT ^C[xiyuan@MiWiFi-RA69-srv func]$ oc get pod NAME READY STATUS RESTARTS AGE aggregator-pod-ocp4-cis 0/1 Completed 0 79s aggregator-pod-ocp4-cis-node-master 0/1 Completed 0 89s aggregator-pod-ocp4-cis-node-worker 0/1 Completed 0 99s aggregator-pod-ocp4-moderate-node-master 0/1 Completed 0 2m9s aggregator-pod-ocp4-moderate-node-worker 0/1 Completed 0 2m9s compliance-operator-59b569f68d-nzt96 1/1 Running 0 5h12m ocp4-cis-api-checks-pod 0/2 Completed 0 2m9s ocp4-openshift-compliance-pp-5cd896b74c-zfmg4 1/1 Running 0 5h12m openscap-pod-21922ec3049a0c51505213220479bb7bcddcdf27 0/2 Completed 0 3m openscap-pod-2a950c2252f82a87fa0bfa0c1315d3f0665f3a03 0/2 Completed 0 3m6s openscap-pod-2d79298421fcff2f0ae485f605f1229af412a1c3 0/2 Completed 0 2m10s openscap-pod-2da7af0e42f11f0b250aa439b7283ee21680b970 0/2 Completed 0 2m10s openscap-pod-322d334c4fb70733a853905f31b8a764e2cfeae2 0/2 Completed 0 3m6s openscap-pod-4953187ed5203309285dcd48e1702276dea0df2b 0/2 Completed 0 2m10s openscap-pod-57749d280bb87de1b20878cf8b083ded57116b94 0/2 Completed 0 2m10s openscap-pod-5c8537ea476ca1b0c887b9ed24714121dceae10c 0/2 Completed 0 3m openscap-pod-688e459e8cd71b31bb0aac1a086952b7049d7590 0/2 Completed 0 2m10s openscap-pod-a960a5bd3bbfc6c336a2ab10005eebd2463f1ce2 0/2 Completed 0 3m openscap-pod-ee23ed76be40a5842d463f001b5d3680a7d2ac45 0/2 Completed 0 3m6s openscap-pod-fe8ea3ec722771b8ffd019433aaab1d819e00efd 0/2 Completed 0 2m10s rhcos4-openshift-compliance-pp-78bf7c5bf9-mhhkk 1/1 Running 0 5h12m $ oc logs pod/ocp4-cis-api-checks-pod -c scanner HOSTROOT not set, using normal oscap cat: /app/scap_version: No such file or directory Running oscap-chroot as oscap xccdf eval --verbose INFO --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_cis --results-arf /tmp/report-arf.xml /content/ssg-ocp4-ds.xml The scanner returned 2 I: oscap: Identified document type: data-stream-collection I: oscap: Created a new XCCDF session from a SCAP Source Datastream '/content/ssg-ocp4-ds.xml'. I: oscap: Validating XML signature. I: oscap: Signature node not found I: oscap: Identified document type: Benchmark I: oscap: Identified document type: cpe-list I: oscap: Started new OVAL agent ssg-ocp4-oval.xml. I: oscap: Querying system information. I: oscap: Starting probe on URI 'queue://system_info'. I: oscap: I will run system_info_probe_main: I: oscap: Evaluating a XCCDF policy with selected 'xccdf_org.ssgproject.content_profile_cis' profile. Title Restrict Automounting of Service Account Tokens Rule xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens I: oscap: Evaluating XCCDF rule 'xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens'. I: oscap: Started new OVAL agent ssg-ocp4-cpe-oval.xml. I: oscap: Querying system information. I: oscap: Starting probe on URI 'queue://system_info'. I: oscap: I will run system_info_probe_main: I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4:def:1': Red Hat OpenShift Container Platform. I: oscap: Evaluating yamlfilecontent test 'oval:ssg-test_ocp4:tst:1': Find one match. I: oscap: Querying yamlfilecontent object 'oval:ssg-object_ocp4:obj:1', flags: 0. I: oscap: Creating new syschar for yamlfilecontent_object 'oval:ssg-object_ocp4:obj:1'. I: oscap: Starting probe on URI 'queue://yamlfilecontent'. I: oscap: Object 'oval:ssg-object_ocp4:obj:1' references variable 'oval:ssg-ocp4_dump_location:var:1' in 'filepath' field. I: oscap: Querying variable 'oval:ssg-ocp4_dump_location:var:1'. I: oscap: Variable 'oval:ssg-ocp4_dump_location:var:1' has values "/kubernetes-api-resources/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver". ... I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1': Red Hat OpenShift Container network 4 on OpenShiftSDN. I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1' evaluated as false. I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_hypershift:def:1': Red Hat OpenShift Container Platform. I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_hypershift:def:1' evaluated as false. I: oscap: Evaluating definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1': Red Hat OpenShift Container network 4 on OpenShiftSDN. I: oscap: Definition 'oval:ssg-installed_app_is_ocp4_on_openshiftsdn:def:1' evaluated as false. I: oscap: Rule 'xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig' is not applicable. Result notapplicable The rds-split operation returned 0 $ oc get -o yaml po/ocp4-cis-api-checks-pod -n openshift-compliance | grep scc openshift.io/scc: restricted-v2
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Compliance Operator bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:4657
*** Bug 2102025 has been marked as a duplicate of this bug. ***