Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-324

User-namespace-aware SCC

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • User-namespace-aware SCC
    • BU Product Work
    • False
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-198 - Secure-by-default image builds
    • OCPSTRAT-198Secure-by-default image builds
    • 100% To Do, 0% In Progress, 0% Done

      Epic Goal

      Security Context Constraints (SCC) should be aware of Kubernetes user namespaces. Kubernetes user namespaces enables the user to run containers as root inside the user namespace but as an unprivileged user on the host which maintains the same security constraints as the "restricted" SCC when running without user namespaces. As a result, all authenticated users on OpenShift should be able to run a container as root inside the user namespaces. 

      Why is this important?

      To enable any authenticated user on OpenShift to run image builds without requiring additional privileges for buildah pods that are not available to all authenticated users and all pods. Buildah containers require to run as root which is not allowed by default. Running buildah in the user namespaces allows the  buildah containers to run as root in the user namespace but as a normal unprivileged user on the host, hence providing a secure way to run image builds on OpenShift.

      Acceptance Criteria

      • All authenticated users by default can run a container as root inside the user namespaces within an appropriate SCC. 

            mfojtik@redhat.com Michal Fojtik
            rh-ee-ssadeghi Siamak Sadeghianfar
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: