Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-26532

Inconsistency in SCC Permission Requirements for Scheduling Gates Removal

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • 4.14.0, 4.15, 4.16
    • Security
    • None
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When we want to remove scheduling gates from a pod, it requires an update. Also, the Security Context Constraints (SCC) admission check needs the same SCC permission for updating a pod as it does for creating one. However, the weird part is that taking away scheduling gates doesn't really change a pod's privileges.

The issue becomes clearer when you see that we can freely add scheduling gates to any pod in any namespace without SCC privileges using a mutating webhook configuration. But, if we want to remove scheduling gates from pods that have privileges, we're stuck – it's not allowed without the specific SCC privileges.

Scheduling gates play a crucial role in implementing custom resourceQuota functionality and are essential for incorporating logic into scheduling processes based on administrative requirements. Presently, using scheduling gates with SCC is challenging unless we include ourselves in the privileged SCC, which grants unnecessary privileges and poses a security risk.

       

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

          1.
    2.
    3.

      Actual results:

      Expected results:

      Additional info:

              ppawlows@redhat.com Pawel Pawlowski
              bmordeha@redhat.com Barak Mordehai
              Xiaojie Yuan Xiaojie Yuan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: