Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11385

DNS egress router should not run as privileged

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Minor Minor
    • 4.14.0
    • 4.12.0
    • Networking / router
    • None
    • Moderate
    • No
    • 3
    • Sprint 234
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The DNS egress router must run as privileged. With it being just an haproxy, it doesn't make much sense.

If I am not wrong, the biggest reason to need privileged is because of {{chroot}} option inherited from default file (https://github.com/openshift/images/blob/master/egress/dns-proxy/egress-dns-proxy.sh#L44). That option doesn't make much sense when we are already inside a container (hence why ingress controllers don't use it, for example).

So it may be worth exploring if this option can be removed and the DNS egress router can be run without requiring privileged mode, but maybe just CAP_NET_BIND_SERVICE

      Version-Release number of selected component (if applicable):

      4.12.0

      How reproducible:

      Always

      Steps to Reproduce:

      1. Forget to set privileged mode in the container
2.
3.

      Actual results:

      Pod cannot start due to chroot setting. I need to run the container as privileged, which lowers security too much.

      Expected results:

      Run the container without being privileged, maybe adding CAP_NET_BIND_SERVICE.

      Additional info:

              alebedev@redhat.com Andrey Lebedev
              rhn-support-palonsor Pablo Alonso Rodriguez
              Shudi Li Shudi Li
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: