Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-27145

Excessive privileges used for some baremetal containers

XMLWordPrintable

    • Low
    • No
    • False
    • Hide

      None

      Show
      None

      In order to use hostPath volumes, containers in kubernetes must be started with the privileged flag set. This is because this flag toggles an SELinux boolean that cannot be toggled by enabling any particular capability. (Empirical testing shows the same restriction does not apply to emptyDir volumes.)

      Since the baremetal components rely on a hostPath volumes for an number of purposes, this prevents many of them from running unprivileged.

      However, there are a number of containers that do not use any hostPath volumes and need only an added capability, if anything. These should be specified explicitly instead of just setting privileged mode to enable everything.

            zabitter Zane Bitter
            zabitter Zane Bitter
            Steeve Goveas Steeve Goveas
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: