-
Bug
-
Resolution: Duplicate
-
Minor
-
None
-
4.12.z, 4.11.z
-
None
-
No
-
False
-
Description of problem:
the 'ephemeral' permission under 'volumes' is not added to the restricted-v2 scc when upgrading from 4.11.43 -> 4.12.40
Version-Release number of selected component (if applicable):
4.11.43 -> 4.12.40
How reproducible:
100%, fresh install
Steps to Reproduce:
1. Install OpenShift 4.11.43 2. Check restricted-v2 scc permissions:
~~~ $ oc get scc restricted-v2 -o yaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: NET_BIND_SERVICE apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: [] kind: SecurityContextConstraints metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" kubernetes.io/description: restricted-v2 denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC and it is used by default for authenticated users. On top of the legacy 'restricted' SCC, it also requires to drop ALL capabilities and does not allow privilege escalation binaries. It will also default the seccomp profile to runtime/default if unset, otherwise this seccomp profile is required. creationTimestamp: "2024-02-29T17:55:21Z" generation: 1 name: restricted-v2 ownerReferences: apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: 982bb000-3c27-41ff-b1c1-19f40d15e143 resourceVersion: "1788" uid: 9e2cb8a3-2b96-4d30-85b3-675339df0c61 priority: null readOnlyRootFilesystem: false requiredDropCapabilities: ALL runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs seccompProfiles: runtime/default supplementalGroups: type: RunAsAny users: [] volumes: configMap downwardAPI emptyDir persistentVolumeClaim projected secret ~~~
3. Upgrade to OpenShift 4.12.40, check permissions, still the same (missing ephemeral) 4. Install OpenShift 4.12.40, check permissions: (ephemeral is added under volumes)
$ oc get scc restricted-v2 -o yaml allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: NET_BIND_SERVICE apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: MustRunAs groups: [] kind: SecurityContextConstraints metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" kubernetes.io/description: restricted-v2 denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC and it is used by default for authenticated users. On top of the legacy 'restricted' SCC, it also requires to drop ALL capabilities and does not allow privilege escalation binaries. It will also default the seccomp profile to runtime/default if unset, otherwise this seccomp profile is required. creationTimestamp: "2024-02-29T18:36:57Z" generation: 1 name: restricted-v2 ownerReferences: apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: 706d1d4c-0e5c-4a65-abd7-a5958b1c3afc resourceVersion: "1751" uid: 7fc011ca-e710-4e49-be42-ddd2ca28314a priority: null readOnlyRootFilesystem: false requiredDropCapabilities: ALL runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs seccompProfiles: runtime/default supplementalGroups: type: RunAsAny users: [] volumes: configMap downward API emptyDir ephemeral <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< persistentVolumeClaim projected secret
Actual results:
See above
Expected results:
Expecting scc to update
Additional info:
- is related to
-
OCPBUGS-19843 [ARO-4.14] csi volumes are not allowed for normal users
- Closed