Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-5930

Invalid capability being inserted to logging-scc

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Undefined Undefined
    • None
    • None
    • Log Collection
    • False
    • None
    • False
    • NEW
    • NEW
    • Bug Fix

      Description of problem:

      1. collector down due to invalid capability inserted to logging-scc:

       

      securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:

- CHOWN 
- DAC_OVERRIDE 
- FOWNER 
- FSETID 
- KILL 
- KILL16Gi100m'%s' <<<<<< invalid capability in pod security context 
- NET_BIND_SERVICE 
- SETGID 
- SETUID

       

      2. Issue mitigated by restarting CLO per following KCS:https://access.redhat.com/solutions/6972316

      3. All audit log reviewed starting from cluster creation time, referring OHSS:
      https://issues.redhat.com/browse/OHSS-36183

      There is no any request to logging-scc nor any requestObject contains "KILL16Gi100m"

      4. Tried to edit logging-scc from my test env and can see audit log has patch request record like below:

      $ oc adm node-logs hollytest-ckbkr-master-0 --path=kube-apiserver/audit.log | grep logging-scc

\{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"61072ea5-9740-431f-8bba-d16c202485bc","stage":"ResponseComplete","requestURI":"/apis/security.openshift.io/v1/securitycontextconstraints/logging-scc?fieldManager=kubectl-patch","verb":"patch","user":{"username":"kube:admin","groups":["system:cluster-admins","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":["
[x.x.x.x|http://x.x.x.x]
"],"userAgent":"oc/4.16.0 (linux/amd64) kubernetes/ada2fa8","objectRef":\{"resource":"securitycontextconstraints","name":"logging-scc","apiGroup":"security.openshift.io","apiVersion":"v1"},"responseStatus":\{"metadata":{},"status":"Failure","message":"the body of the request was in an unknown format - accepted media types include: application/json-patch+json, application/merge-patch+json, application/apply-patch+yaml","reason":"UnsupportedMediaType","code":415},"requestReceivedTimestamp":"2024-08-06T11:25:04.394281Z","stageTimestamp":"2024-08-06T11:25:04.394754Z","annotations":\{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"cluster-admins\" of ClusterRole \"cluster-admin\" to Group \"system:cluster-admins\""}}

      Which means as long as there is user operation towards logging-scc audit log should have record.

      Version-Release number of selected component (if applicable):

      The issue happened on CLO update to 5.9.4 on Jul 23.

      How reproducible:

      Steps to Reproduce:

      1.  
      2.  
      3. ...

      Actual results: 

      An invalid Capability being inserted to logging-scc.

      Expected results:

      If no patch/update to logging-scc capabilities should be default.

      Additional info:

              Unassigned Unassigned
              rhn-support-hqiao Holly Qiao
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: