Goal: Minimize the permissions needed to run OpenShift builds
Problem: OpenShift builds use the privileged: true security context, which bypasses standard RHEL security features like SELinux and AppArmor.
Why is this important?
The expanded permissions granted to OpenShift builds apply to the build controller and the builder service account. These can be abused and lead to privilege escalations (say due to a known CVE).
- Buildah supports running without privileged: true in a container
Stories and Deliverables
- Update builds to run without priveleged: true containers
- Reduce the permissions granted to the build controller and the builder service account
recently did an r & d experiment with removing the privileged bit with https://github.com/openshift/openshift-controller-manager/pull/156
to date the buildah/podman team has not run OCI isolation successfully from an unprivileged pod.
As an OpenShift cluster admin
I want builds to run without privileged: true containers
So that I can comply with security policies that ban privileged containers.
- Builds run without using privileged: true containers
- The build controller and builder service account use minimal privileges to run successful builds.
- Should developers be allowed to restore the "privileged" build mode? For instance - if devs see build times increase significantly because we're using the VFS storage driver and are not privileged, they may want to be able to go back and accept a riskier build process.