Bug 2179803 - [GSS]The scc rook-ceph and rook-ceph-csi does not have "Required Drop Capabilities"
Summary: [GSS]The scc rook-ceph and rook-ceph-csi does not have "Required Drop Capabil...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat OpenShift Data Foundation
Classification: Red Hat Storage
Component: rook
Version: 4.10
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
: ---
Assignee: Subham Rai
QA Contact: Neha Berry
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-20 07:04 UTC by Karun Josy
Modified: 2024-05-23 08:07 UTC (History)
7 users (show)

Fixed In Version: 4.14.3-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-02-09 06:18:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github rook rook pull 12295 0 None open security: remove default scc privileges 2023-05-29 09:52:25 UTC

Description Karun Josy 2023-03-20 07:04:26 UTC 
* Description of problem (please be detailed as possible and provide log
snippests):

The security context for rook-ceph and rook-ceph-csi does not have RequiredDropCapabilities set. 

Steps to reproduce:
# oc get scc
# oc describe scc rook-ceph | grep " Required Drop Capabilities"
  Required Drop Capabilities:                   <none>

# oc describe scc rook-ceph-csi | grep " Required Drop Capabilities"
  Required Drop Capabilities:                   <none>

Following best practices by OpenShift, this should be defined so that it follows the principle of least privileges when granting permissions. 


Can this be reviewed as it has been highlighted as a security issue in CIS OpenShift Benchmark? 



* Version of all relevant components (if applicable):
ODF 4.10 and above
Comment 2 Subham Rai 2023-03-20 07:21:02 UTC 
 @tnielsen  we can have `requiredDropCapabilities: [all]` but we do need some capabilities, like `MKNOD`those  we can add those in `allowedCapabilities:[]`?
Comment 3 Travis Nielsen 2023-03-20 19:57:53 UTC 
Let's look at restricting this priv in 4.14. For 4.13 it is too much a risk to break at this point.
Comment 4 tiwl-sg 2023-03-30 05:29:32 UTC 
While waiting for the fix, can i check if NET_BIND_SERVICE can be added to Required Drop Capabilities? 

# oc describe scc rook-ceph | grep " Required Drop Capabilities"
  Required Drop Capabilities:                   <none>

# oc describe scc rook-ceph-csi | grep " Required Drop Capabilities"
  Required Drop Capabilities:                   <none>
Note You need to log in before you can comment on or make changes to this bug.