-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.13, 4.12, 4.14, 4.15
-
None
-
Moderate
-
No
-
0
-
OSDOCS Sprint 251
-
1
-
False
-
-
Release Note Not Required
-
In Progress
Description of problem:
Under https://docs.openshift.com/container-platform/4.12/authentication/managing-security-context-constraints.html#default-sccs_configuring-internal-oauth the explanation for restricted says: ~~~ * Requires that a pod is run as a user in a pre-allocated range of UIDs [...] * Allows pods to use any FSGroup * Allows pods to use any supplemental group ~~~ However the definition of the "restricted-v2" SCC (https://github.com/openshift/cluster-kube-apiserver-operator/blob/release-4.15/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v2.yaml#L13) is: ~~~ fsGroup: type: MustRunAs ~~~ This conflicts with "Allows pods to use any FSGroup", as it has to be a specific group
Version-Release number of selected component (if applicable):
OpenShift Container Platform 4.15
How reproducible:
Always
Steps to Reproduce:
1. Create a Pod that is using the "restricted" or "restricted-v2" SCC
2. Set an arbitraty `fsGroup`
Actual results:
SCC does not allow Pod to be created
Expected results:
Documentation states correctly that "fsGroup" is configured as "MustRunAs"
Additional info:
Suggested change: Replace "Allows pods to use any FSGroup" with "Requires that a pod is run with a pre-allocated FSGroup"