Bug 2082216 - Velero and Restic are using incorrect SCCs [OADP-BL]
Summary: Velero and Restic are using incorrect SCCs [OADP-BL]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Migration Toolkit for Containers
Classification: Red Hat
Component: Velero
Version: 1.7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 1.7.2
Assignee: Dylan Murray
QA Contact: Xin jiang
Richard Hoch
URL: https://issues.redhat.com/browse/OADP...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-05 15:18 UTC by Jason Montleon
Modified: 2025-10-03 12:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-02 07:45:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jason Montleon 2022-05-05 15:18:58 UTC 
Description of problem:
This is a tracking bug for MTC. The bug is actually in OADP.

The permissions for velero are too permissive.

In particular this rule grants use to every SCC:
```
            - apiGroups:
                - '*'
              resources:
                - '*'
              verbs:
                - '*'
```

It looks like once a clusterrole is created OLM won't overwrite it if it is edited so I believe we can work around this in the following manner until there is a release:

```
oc get clusterrolebinding | grep oadp
```
Look at each of these and determine which one has the subject with the velero SA:
```
subjects:
- kind: ServiceAccount
  name: velero
  namespace: openshift-migration
```

In my case it is oadp-operator.v1.0.2-f84b8b4b5, so I edit the clusterrole with the same name, oc edit clusterrole oadp-operator.v1.0.2-f84b8b4b5
You'll see a set of rules that look like this:
```
- apiGroups:
    - '*'
  resources:
    - '*'
  verbs:
    - '*'
- apiGroups:
  - security.openshift.io
  resourceNames:
  - privileged
  - velero-privileged
  resources:
  - securitycontextconstraints
  verbs:
  - use
```
Delete those and add these:
```
- apiGroups:
  - build.openshift.io
  - migration.openshift.io
  - rbac.authorization.k8s.io
  - velero.io
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - '*'
- apiGroups:
  - packages.operators.coreos.com
  resources:
  - packagemanifests
  verbs:
  - '*'
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - watch
  - list
  - update
  - patch
  - create
  - delete
  - assign
  - deletecollection
- nonResourceURLs:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - security.openshift.io
  resources:
  - securitycontextconstraints
  verbs:
  - use
  resourceNames:
  - privileged
```
Delete velero and restic pods so they are recreated afterwards.
```
$ oc get po velero-5fcfd885d4-8d858 restic-6hfht -o yaml | grep scc
      openshift.io/scc: restricted
      openshift.io/scc: privileged
```

When I was exploring more today I saw node-exporter and anyuid, which is wrong, but let things work for the most part. With more custom SCCs and the more permissive rule they could be almost anything though.
Comment 1 Erik Nelson 2022-06-03 15:19:16 UTC 
We're expecting a fix for this to land in OADP 1.0.3
Comment 9 errata-xmlrpc 2022-08-02 07:45:42 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Migration Toolkit for Containers (MTC) 1.7.3 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5840
Note You need to log in before you can comment on or make changes to this bug.