-
Bug
-
Resolution: Duplicate
-
Normal
-
None
-
4.16.z
-
None
-
Important
-
None
-
False
-
Description of problem:
The following parameter has been added to safe sysctls since k8s v1.29[1].
net.ipv4.tcp_keepalive_time
net.ipv4.tcp_fin_timeout
net.ipv4.tcp_keepalive_intvl
net.ipv4.tcp_keepalive_probes
However, the list of safe sysctls returned by SafeSysctlAllowlist() in OpenShift is not updated [2].
[1] https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls
[2] https://github.com/openshift/apiserver-library-go/blob/e88385a79b1724850143487d507f606f8540f437/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go#L32
Due to this, the pod with these safe sysctls configuration is blocked by SCC for non-privileged users.
(Look at "Steps to Reproduce" for details.)
$ oc apply -f pod-sysctl.yaml
Error from server (Forbidden): error when creating "pod-sysctl.yaml": pods "pod-sysctl" is forbidden: unable to validate against any security context constraint: [provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, pod.spec.securityContext.sysctls[0]: Forbidden: unsafe sysctl "net.ipv4.tcp_fin_timeout" is not allowed, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
Version-Release number of selected component (if applicable):
OpenShift v4.16.4
How reproducible:
Always
Steps to Reproduce:
Step1. Login as a non-privileged user.
$ oc login -u user
Step2. Create the following yaml file and apply it.
$ cat pod-sysctl.yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-sysctl
spec:
containers:
- name: con-sysctl
image: registry.nec.test:5000/ubi8/ubi
command: ["/bin/bash", "-c", "tail -f /dev/null & wait"]
securityContext:
sysctls: - name: net.ipv4.tcp_fin_timeout
value: "30"
$ oc apply -f pod-sysctl.yaml
Actual results:
Applying the pod was blocked by SCC.
$ oc apply -f pod-sysctl.yaml
Error from server (Forbidden): error when creating "pod-sysctl.yaml": pods "pod-sysctl" is forbidden: unable to validate against any security context constraint: [provider "trident-controller": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, pod.spec.securityContext.sysctls[0]: Forbidden: unsafe sysctl "net.ipv4.tcp_fin_timeout" is not allowed, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "trident-node-linux": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
Expected results:
The yaml with safe sysctls can be applied by non-privileged user.
The specified sysctls are enabled in the pod.
- is duplicated by
-
-
- Closed
-