-
Bug
-
Resolution: Won't Do
-
Normal
-
None
-
4.11.z
-
Informational
-
None
-
False
-
Description of problem:
An executable script inside a ConfigMap with 0744 permissions that worked in 4.10, no longer works in 4.11 with permission denied errors due to restricted SCC changes.
Version-Release number of selected component (if applicable):
4.11.x
How reproducible:
Always
Steps to Reproduce:
Create a basic execute script:
cat execute.sh
#!/bin/sh
set -euo pipefail
echo "Execute script from CM"
Create the CM:
oc create configmap execute --from-file=execute.sh
Create the deployment:
apiVersion: apps/v1 kind: Deployment metadata: name: execute spec: replicas: 1 selector: matchLabels: app: cm template: metadata: labels: app: cm spec: securityContext: allowPrivilegeEscalation: true containers: - name: executetoolbox image: registry.redhat.io/rhel8/support-tools command: ["/scripts/execute.sh"] ports: - name: myport containerPort: 2368 protocol: TCP volumeMounts: - name: execute mountPath: /scripts volumes: - name: execute configMap: name: execute defaultMode: 0744
Check logs:
oc logs execute-7fb77dff67-pxl76 exec /scripts/execute.sh: permission denied
Actual results:
Script does not execute - needs 754 permissions now
Expected results:
N/A
Additional info:
Change the permissions to give execute to the group: defaultMode: 0754
