Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10647

multus-admission-controller should not run as root under Hypershift-managed CNO

XMLWordPrintable

    • Important
    • No
    • Approved
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Cluster Network Operator managed component multus-admission-controller does not conform to Hypershift control plane expectations.
      
      When CNO is managed by Hypershift, multus-admission-controller must run with non-root security context. If Hypershift runs control plane on kubernetes (as opposed to Openshift) management cluster, it adds pod or container security context to most deployments with runAsUser clause inside.
      
      In Hypershift CPO, the security context of deployment containers, including CNO, is set when it detects that SCC's are not available, see https://github.com/openshift/hypershift/blob/9d04882e2e6896d5f9e04551331ecd2129355ecd/support/config/deployment.go#L96-L100. In such a case CNO should do the same, set security context for its managed deployment multus-admission-controller to meet Hypershift standard.
      
      
       

      How reproducible:

      Always

      Steps to Reproduce:

      1.Create OCP cluster using Hypershift using Kube management cluster
      2.Check pod security context of multus-admission-controller
      

      Actual results:

      no pod security context is set

      Expected results:

      pod security context is set with runAsUser: xxxx

      Additional info:

      This is the highest priority item from https://issues.redhat.com/browse/OCPBUGS-7942 and it needs to be fixed ASAP as it is a security issue preventing IBM from releasing Hypershift-managed Openshift service.

              dosmith Douglas Smith
              michael.topchiev@ibm.com Michael Topchiev (Inactive)
              Weibin Liang Weibin Liang
              IBM Employee
              Hidematsu Sueki
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: