-
Epic
-
Resolution: Done
-
Major
-
None
-
None
-
User-namespace-aware SCC
-
BU Product Work
-
False
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-198 - Secure-by-default image builds
-
OCPSTRAT-198Secure-by-default image builds
-
100% To Do, 0% In Progress, 0% Done
Epic Goal
Security Context Constraints (SCC) should be aware of Kubernetes user namespaces. Kubernetes user namespaces enables the user to run containers as root inside the user namespace but as an unprivileged user on the host which maintains the same security constraints as the "restricted" SCC when running without user namespaces. As a result, all authenticated users on OpenShift should be able to run a container as root inside the user namespaces.
Why is this important?
To enable any authenticated user on OpenShift to run image builds without requiring additional privileges for buildah pods that are not available to all authenticated users and all pods. Buildah containers require to run as root which is not allowed by default. Running buildah in the user namespaces allows the buildah containers to run as root in the user namespace but as a normal unprivileged user on the host, hence providing a secure way to run image builds on OpenShift.
Acceptance Criteria
- All authenticated users by default can run a container as root inside the user namespaces within an appropriate SCC.
- duplicates
-
OCPNODE-2559 Add `restricted-v3` and `nested-container` SCC by default
- To Do
- is related to
-
OCPSTRAT-207 TP in 4.17 : Support User Namespaces in pods
- Closed