Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-2913

[OCP 4.12] Capabilities are not honored

XMLWordPrintable

    • Important
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Customer Escalated
    • Hide
      12/1: setting the Telco priority to 4 for now, expecting to likely remove it from the Telco-Grade OCP 4.12 gating list altogether
      11/30: Not a bug, going forward (>= OCP 4.12) in order to use CAPS crio config has to be modified (via MC).
      11/29: added to the Telco-Grade OCP 4.12 gating list
      Show
      12/1: setting the Telco priority to 4 for now, expecting to likely remove it from the Telco-Grade OCP 4.12 gating list altogether 11/30: Not a bug, going forward (>= OCP 4.12) in order to use CAPS crio config has to be modified (via MC). 11/29: added to the Telco-Grade OCP 4.12 gating list

      Description of problem:

      Can not run "ip link set lo down" inside OCP 4.12 Pod even though the capabilities have been set against the binary

      Version-Release number of selected component (if applicable):

      4.12.0-0.ci.test-2022-10-19-103705-ci-ln-b4wpri2-latest

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create image

FROM registry.access.redhat.com/ubi8/ubi:8.5 
RUN dnf install -y iputils net-tools iproute 
RUN setcap cap_net_admin+ep /usr/sbin/ip 
CMD sleep infinity 

2. Add privileged scc to default service account

oc adm policy add-scc-to-user privileged system:serviceaccount:test-iplink:default 

3. Create pod

apiVersion: v1
kind: Pod
metadata:
  name: 'iplink'
  namespace: 'test-iplink'
spec:
  containers:
  - name: appcntr1
    image: 'registry.kni-qe-22.lab.eng.bos.redhat.com:5000/openshift/iplink:v1.0'
    imagePullPolicy: IfNotPresent
    command: [ "/bin/bash", "-c", "--" ]
    args: [ "while true; do sleep 300000; done;" ]
    securityContext:
      runAsGroup: 9999
      runAsUser: 9999
      capabilities:
        add: ["NET_ADMIN"]

3. Check the result
 
$ oc get pods
NAME      READY   STATUS    RESTARTS   AGE
testpod   1/1     Running   0          5m17s

$ oc rsh testpod ip link set lo up
RTNETLINK answers: Operation not permitted

      Actual results:

      $ oc rsh testpod ip link set lo up
RTNETLINK answers: Operation not permitted 

      Expected results:

      ip link set lo up should succeed

      Additional info:

       

        1. crio_status.txt
          32 kB

              pehunt@redhat.com Peter Hunt
              rhn-support-cchen Chen Chen
              Min Li Min Li
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: