Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42057

[OCP-4.16] Creating pod with the safe sysctls configuration failed for non-privileged users

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.16.z
    • 4.16.z
    • apiserver-auth
    • None
    • Important
    • None
    • OCP Node Sprint 259 (Green)
    • 1
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required
    • Done

      Description of problem:
      The following parameter has been added to safe sysctls since k8s v1.29[1].

      net.ipv4.tcp_keepalive_time
      net.ipv4.tcp_fin_timeout
      net.ipv4.tcp_keepalive_intvl
      net.ipv4.tcp_keepalive_probes
      However, the list of safe sysctls returned by SafeSysctlAllowlist() in OpenShift is not updated [2].

      [1] https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls
      [2] https://github.com/openshift/apiserver-library-go/blob/e88385a79b1724850143487d507f606f8540f437/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L32

      Due to this, the pod with these safe sysctls configuration is blocked by SCC for non-privileged users.
      (Look at "Steps to Reproduce" for details.)

      $ oc apply -f pod-sysctl.yaml
      Error from server (Forbidden): error when creating "pod-sysctl.yaml": pods "pod-sysctl" is forbidden: unable to validate against any security context constraint: [provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, pod.spec.securityContext.sysctls[0]: Forbidden: unsafe sysctl "net.ipv4.tcp_fin_timeout" is not allowed, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
      Version-Release number of selected component (if applicable):
      OpenShift v4.16.4
      How reproducible:
      Always

      Steps to Reproduce:
      Step1. Login as a non-privileged user.

      $ oc login -u user
      Step2. Create the following yaml file and apply it.

      $ cat pod-sysctl.yaml
      apiVersion: v1
      kind: Pod
      metadata:
      name: pod-sysctl
      spec:
      containers:

      • name: con-sysctl
        image: registry.nec.test:5000/ubi8/ubi
        command: ["/bin/bash", "-c", "tail -f /dev/null & wait"]
        securityContext:
        sysctls:
      • name: net.ipv4.tcp_fin_timeout
        value: "30"
        $ oc apply -f pod-sysctl.yaml
        Actual results:
        Applying the pod was blocked by SCC.

      $ oc apply -f pod-sysctl.yaml
      Error from server (Forbidden): error when creating "pod-sysctl.yaml": pods "pod-sysctl" is forbidden: unable to validate against any security context constraint: [provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, pod.spec.securityContext.sysctls[0]: Forbidden: unsafe sysctl "net.ipv4.tcp_fin_timeout" is not allowed, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
      Expected results:
      The yaml with safe sysctls can be applied by non-privileged user.
      The specified sysctls are enabled in the pod.

              skunkerk Sohan Kunkerkar
              skunkerk Sohan Kunkerkar
              Xingxing Xia Xingxing Xia
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: