-
Bug
-
Resolution: Done-Errata
-
Undefined
-
4.12
-
None
-
No
-
False
-
This is a clone of issue OCPBUGS-11473. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-160. The following is the description of the original issue:
—
Description of problem:
The NS autolabeler should adjust the PSS namespace labels such that a previously permitted workload (based on the SCCs it has access to) can still run.
The autolabeler requires the RoleBinding's .subjects[].namespace to be set when .subjects[].kind is ServiceAccount even though this is not required by the RBAC system to successfully bind the SA to a Role
Version-Release number of selected component (if applicable):
$ oc version
Client Version: 4.7.0-0.ci-2021-05-21-142747
Server Version: 4.12.0-0.nightly-2022-08-15-150248
Kubernetes Version: v1.24.0+da80cd0
How reproducible: 100%
Steps to Reproduce:
---
apiVersion: v1
kind: Namespace
metadata:
name: test
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: mysa
namespace: test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myrole
namespace: test
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: myrb
namespace: test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myrole
subjects:
- kind: ServiceAccount
name: mysa
#namespace: test # This is required for the autolabeler
---
kind: Job
apiVersion: batch/v1
metadata:
name: myjob
namespace: test
spec:
template:
spec:
containers:
- name: ubi
image: registry.access.redhat.com/ubi8
command: ["/bin/bash", "-c"]
args: ["whoami; sleep infinity"]
restartPolicy: Never
securityContext:
runAsUser: 0
serviceAccount: mysa
terminationGracePeriodSeconds: 2
{{}}
Actual results:
Applying the manifest, above, the Job's pod will not start:
$ kubectl -n test describe job/myjob...Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 20s job-controller Error creating: pods "myjob-zxcvv" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "ubi" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "ubi" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "ubi" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or container "ubi" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Warning FailedCreate 20s job-controller Error creating: pods "myjob-fkb9x" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "ubi" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "ubi" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "ubi" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or container "ubi" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Warning FailedCreate 10s job-controller Error creating: pods "myjob-5klpc" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "ubi" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "ubi" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "ubi" must set securityContext.runAsNonRoot=true), runAsUser=0 (pod must not set runAsUser=0), seccompProfile (pod or container "ubi" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
Uncommenting the "namespace" field in the RoleBinding will allow it to start as the autolabeler will adjust the Namespace labels.
However, the namespace field isn't actually required by the RBAC system. Instead of using the autolabeler, the pod can be allowed to run by (w/o uncommenting the field):
$ kubectl label ns/test security.openshift.io/scc.podSecurityLabelSync=false
namespace/test labeled
$ kubectl label ns/test pod-security.kubernetes.io/enforce=privileged --overwrite
namespace/test labeled
We now see that the pod is running as root and has access to the privileged scc:
$ kubectl -n test get po -oyaml
apiVersion: v1
items:
- apiVersion: v1
kind: Pod
metadata:
annotations:
k8s.ovn.org/pod-networks: '{"default":{"ip_addresses":["10.129.2.18/23"],"mac_address":"0a:58:0a:81:02:12","gateway_ips":["10.129.2.1"],"ip_address":"10.129.2.18/23","gateway_ip":"10.129.2.1"'}}
k8s.v1.cni.cncf.io/network-status: |-
[{
"name": "ovn-kubernetes",
"interface": "eth0",
"ips": [
"10.129.2.18"
],
"mac": "0a:58:0a:81:02:12",
"default": true,
"dns": {}
}]
k8s.v1.cni.cncf.io/networks-status: |-
[{
"name": "ovn-kubernetes",
"interface": "eth0",
"ips": [
"10.129.2.18"
],
"mac": "0a:58:0a:81:02:12",
"default": true,
"dns": {}
}]
openshift.io/scc: privileged
creationTimestamp: "2022-08-16T13:08:24Z"
generateName: myjob-
labels:
controller-uid: 1867dbe6-73b2-44ea-a324-45c9273107b8
job-name: myjob
name: myjob-rwjmv
namespace: test
ownerReferences:
- apiVersion: batch/v1
blockOwnerDeletion: true
controller: true
kind: Job
name: myjob
uid: 1867dbe6-73b2-44ea-a324-45c9273107b8
resourceVersion: "36418"
uid: 39f18dea-31d4-4783-85b5-8ae6a8bec1f4
spec:
containers:
- args:
- whoami; sleep infinity
command:
- /bin/bash
- -c
image: registry.access.redhat.com/ubi8
imagePullPolicy: Always
name: ubi
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-6f2h6
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
imagePullSecrets:
- name: mysa-dockercfg-mvmtn
nodeName: ip-10-0-140-172.ec2.internal
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Never
schedulerName: default-scheduler
securityContext:
runAsUser: 0
serviceAccount: mysa
serviceAccountName: mysa
terminationGracePeriodSeconds: 2
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: kube-api-access-6f2h6
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- configMap:
items:
- key: service-ca.crt
path: service-ca.crt
name: openshift-service-ca.crt
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2022-08-16T13:08:24Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2022-08-16T13:08:28Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2022-08-16T13:08:28Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2022-08-16T13:08:24Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: cri-o://8fd1c3a5ee565a1089e4e6032bd04bceabb5ab3946c34a2bb55d3ee696baa007
image: registry.access.redhat.com/ubi8:latest
imageID: registry.access.redhat.com/ubi8@sha256:08e221b041a95e6840b208c618ae56c27e3429c3dad637ece01c9b471cc8fac6
lastState: {}
name: ubi
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2022-08-16T13:08:28Z"
hostIP: 10.0.140.172
phase: Running
podIP: 10.129.2.18
podIPs:
- ip: 10.129.2.18
qosClass: BestEffort
startTime: "2022-08-16T13:08:24Z"
kind: List
metadata:
resourceVersion: ""
{{}}
$ kubectl -n test logs job/myjob
root
Expected results:
The autolabeler should properly follow the RoleBinding back to the SCC
Additional info:
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to