Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-51153

Default value of allowPrivilegeEscalation in OpenShift cluster differs from official documentation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • None
    • 4.17.z
    • Security
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      When referring to the OpenShift documentation [-], it states that the allowPrivilegeEscalation must be unset or set to false in security contexts in restricted SCC. 
      However, in the OpenShift clusters, the default value of allowPrivilegeEscalation is set to true, contrary to the recommendation.
      
      [-] https://docs.openshift.com/container-platform/4.17/authentication/managing-security-context-constraints.html

      Version-Release number of selected component (if applicable):

      All 4.z OCP versions

      How reproducible:

      100%

      Steps to Reproduce:

      1. Follow the OpenShift documentation regarding allowPrivilegeEscalation configuration, which recommends it being unset or set to false.
      2. Create a new OpenShift cluster.
      3. Verify the default value of allowPrivilegeEscalation in the restricted scc yaml.     

      Actual results:

      The value of allowPrivilegeEscalation is set to true by default in the restricted scc in the cluster, however is recommended false as per the official OpenShift documentation.     

      Expected results:

      The value of allowPrivilegeEscalation should be false or unset in the restricted scc as stated in the documentation.

      Additional info:

      Impact:
      This discrepancy between the documentation and the actual cluster configuration may lead to potential security risks if allowPrivilegeEscalation is inadvertently left set to true in production environments.   

              rh-ee-bleanhar Brenton Leanhardt
              rhn-support-sdharma Suruchi Dharma
              None
              None
              Xiaojie Yuan Xiaojie Yuan
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: