Details
-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
4.12.z
-
None
-
No
-
2
-
OTA 255
-
1
-
False
-
Description
Description of problem:
When matched by a custom SCC, the CVO may run as the root user and doesn't drop capabilities.
Version-Release number of selected component (if applicable):
4.12
How reproducible:
$ oc get pods -n openshift-cluster-version -o custom-columns=NAMESPACE:.metadata.namespace,POD_NAME:.metadata.name,SERVICE_ACCOUNT:.spec.serviceAccount,SCC_PROFILE:".metadata.annotations.openshift\.io/scc" NAMESPACE POD_NAME SERVICE_ACCOUNT SCC_PROFILE openshift-cluster-version cluster-version-operator-5b7c5599c6-l5kqm default custom-pod-security-policy
$ oc get pods -n openshift-cluster-version cluster-version-operator-5b7c5599c6-l5kqm -o yaml | oc -n openshift-cluster-version policy scc-review -f - RESOURCE SERVICE ACCOUNT ALLOWED BY Pod/cluster-version-operator-5b7c5599c6-l5kqm default custom-pod-security-policy Pod/cluster-version-operator-5b7c5599c6-l5kqm default hostaccess Pod/cluster-version-operator-5b7c5599c6-l5kqm default node-exporter Pod/cluster-version-operator-5b7c5599c6-l5kqm default privileged
$ oc get scc custom-pod-security-policy -o yaml allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: true allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: true allowedCapabilities: - CHOWN - KILL - NET_ADMIN - NET_BIND_SERVICE - NET_RAW - SETGID - SETUID - SYS_CHROOT allowedUnsafeSysctls: - net.ipv4.* - net.ipv6.* apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: annotations: kubectl.kubernetes.io/last-applied-configuration: | {"allowHostDirVolumePlugin":true,"allowHostIPC":false,"allowHostNetwork":true,"allowHostPorts":false,"allowPrivilegeEscalation":true,"allowPrivilegedContainer":true,"allowedCapabilities":["CHOWN","KILL","NET_ADMIN","NET_BIND_SERVICE","NET_RAW","SETGID","SETUID","SYS_CHROOT"],"allowedUnsafeSysctls":["net.ipv4.*","net.ipv6.*"],"allowtostPID":false,"apiVersion":"security.openshift.io/v1","defaultAddCapabilities":null,"fsGroup":{"type":"RunAsAny"},"groups":[],"kind":"SecurityContextConstraints","metadata":{"annotations":{},"name":"custom-pod-security-policy"},"priority":8,"readOnlyRootFilesystem":false,"requiredDropCapabilities":null,"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"MustRunAs"},"supplementalGroups":{"type":"RunAsAny"},"users":[],"volumes":["configMap","emptyDir","hostPath","persistentVolumeClaim","projected","secret"]} creationTimestamp: "2023-04-25T13:52:40Z" generation: 1 name: custom-pod-security-policy resourceVersion: "23492572" uid: 9cf1a7c8-134f-4c82-9583-7ab9534eb935 priority: 8 readOnlyRootFilesystem: false requiredDropCapabilities: null runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - emptyDir - hostPath - persistentVolumeClaim - projected - secret
$ oc rsh -n openshift-cluster-version cluster-version-operator-5b7c5599c6-l5kqm
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root)
Additional info:
The pod normally runs with the hostaccess SCC which enforces a userID and fsgroup from a range. It also drops some capabilities:
$ oc get pods -n openshift-cluster-version -o custom-columns=POD_NAME:.metadata.name,SERVICE_ACCOUNT:.spec.serviceAccount,SCC_PROFILE:".metadata.annotations.openshift\.io/scc" POD_NAME SERVICE_ACCOUNT SCC_PROFILE cluster-version-operator-56f88c86df-c84zz default hostaccess $ oc exec -it -n openshift-cluster-version cluster-version-operator-56f88c86df-c84zz -- id uid=1000040000(1000040000) gid=0(root) groups=0(root),1000040000
From a diff:
resources: resources: requests: requests: cpu: 20m cpu: 20m memory: 50Mi memory: 50Mi securityContext: < capabilities: < drop: < - KILL < - MKNOD < - SETGID < - SETUID < runAsNonRoot: true < runAsUser: 1000040000 < terminationMessagePath: /dev/termination-log terminationMessagePath: /dev/termination-log (...) restartPolicy: Always restartPolicy: Always schedulerName: default-scheduler schedulerName: default-scheduler securityContext: securityContext: fsGroup: 1000040000 < seLinuxOptions: seLinuxOptions: level: s0:c6,c5 | level: s0:c6,c0
About runAsNonRoot:
[akaris@linux scc-assignments]$ oc explain pod.spec.securityContext.runAsNonRoot KIND: Pod VERSION: v1 FIELD: runAsNonRoot <boolean> DESCRIPTION: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.