Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-3915

SCCs `nested-container` and `restricted-v3` should be added to default allowed list of SCCs

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False

      ... to prevent failure of rule scc-limit-container-allowed-capabilities

      Description of problem:

      When performing compliance scan on 4.20 cluster, rule `scc-limit-container-allowed-capabilities` will fail, because there are required SCC `nested-container`and `restricted-v3`present on the cluster that are not being included in the variable `var_sccs_with_allowed_capabilities_regex.var` in the default regex list of the SCCs that are permitted to set the allowedCapabilities attribute. Both SCCs are owned and managed by openshift.

      $ oc get ccr |grep limit-container-allowed-capabilities
ocp4-cis-scc-limit-container-allowed-capabilities                 FAIL     medium

$ oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$|^insights-runtime-extractor-scc$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[  "nested-container",  "restricted-v3"]

      How reproducible:

      Always

      Steps to Reproduce:

       Install CO
 Create ssb with ocp4-cis profile and default setting
$  oc compliance bind -N test profile/ocp4-cisCreating ScanSettingBinding test
 Wait for the scan to finish
 Get the result for the rule
$ oc get ccr |grep limit-container-allowed-capabilitiesocp4-cis-scc-limit-container-allowed-capabilities                 FAIL     medium
 See what is the default variable value
$ oc get variable ocp4-var-sccs-with-allowed-capabilities-regex  -ojsonpath='{.value}'^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$|^insights-runtime-extractor-scc$
 Check what is the scc that is preventing the rule to pass
$ oc get  scc -o json | jq '[.items[] | select(.metadata.name | test("^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$|^insights-runtime-extractor-scc$"; "") | not) | select(.allowedCapabilities != null) | .metadata.name]'
[  "nested-container",  "restricted-v3"]

       

      Actual results:

      SCCs "nested-container" and "restricted-v3" are not listed in the default value of the variable var_sccs_with_allowed_capabilities_regex.var

      Expected results:

      SCCs "nested-container" and "restricted-v3" should be listed in the default value of the variable var_sccs_with_allowed_capabilities_regex.var, as they are required SCCs for the cluster managed by openshift

              lbragsta@redhat.com Lance Bragstad
              rh-ee-akoudelk Anna Koudelkova
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: