-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
4.13.0
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Low
-
None
-
None
-
Rejected
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Create a custom SCC with a hardcoded seLinuxOptions. And create a deployment with the scc. The scc was not taken into use.
Version-Release number of selected component (if applicable):
4.13.0-0.nightly-2022-12-20-174734 + security-profiles-operator-bundle-container-0.5.0-62
How reproducible:
Always
Steps to Reproduce:
1. Install Security Profiles Operator 2. $ oc new-project nginx-secure $ oc apply -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1alpha2 kind: SelinuxProfile metadata: name: test-selinux-recording-nginx-0 spec: allow: '@self': tcp_socket: - listen http_cache_port_t: tcp_socket: - name_bind node_t: tcp_socket: - node_bind inherit: - kind: System name: container EOF 3. create scc: $ oc apply -f -<<EOF apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: A special SCC for running nginx with a custom SELinux policy name: nginx-secure allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null defaultAddCapabilities: null fsGroup: type: MustRunAs priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - KILL - MKNOD - SETUID - SETGID runAsUser: type: MustRunAsRange seLinuxContext: type: MustRunAs seLinuxOptions: type: test-selinux-recording-nginx-0_nginx-secure.process ####the selinuxprofile created in step2 supplementalGroups: type: RunAsAny users: - system:serviceaccount:nginx-secure:nginx-sa volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret EOF 4. create sa: $ oc apply -f -<<EOF apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: nginx-sa --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: spo-record rules: - apiGroups: - security.openshift.io resources: - securitycontextconstraints resourceNames: - nginx-secure verbs: - use --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: spo-record subjects: - kind: ServiceAccount name: nginx-sa roleRef: kind: Role name: spo-record apiGroup: rbac.authorization.k8s.io EOF 5. create workload: oc apply -f -<<EOF apiVersion: apps/v1 kind: Deployment metadata: name: my-deployment spec: selector: matchLabels: app: nginx replicas: 2 template: metadata: labels: app: nginx spec: serviceAccountName: nginx-sa containers: - name: nginx image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21 EOF
Actual results:
The scc was not taken in use by the pods.
$ oc get pod -o=jsonpath={.items[*].spec.securityContext} | jq -r
{
"fsGroup": 1000940000,
"seLinuxOptions": {
"level": "s0:c31,c5"
},
"seccompProfile": {
"type": "RuntimeDefault"
}
}
{
"fsGroup": 1000940000,
"seLinuxOptions": {
"level": "s0:c31,c5"
},
"seccompProfile": {
"type": "RuntimeDefault"
}
}
Expected results:
The pods should use test-selinux-recording-nginx-0_nginx-secure.process as seLinuxOptions type.
$ oc get pod my-deployment-5747455fb4-42hg5 -o=jsonpath={.spec.securityContext.seLinuxOptions.type}
Test-selinux-recording-nginx-0_nginx-secure.process
Additional info:
If I update the scc to privileged, and patch below patch.yaml to the deployment, the securityContext is correct:$ cat patch.yaml spec: template: spec: securityContext: seLinuxOptions: type: test-selinux-recording-nginx-0_nginx-secure.process$ oc -n nginx-secure patch deployment/my-deployment --patch-file patch.yaml --type=merge
$ oc get pod my-deployment-5747455fb4-42hg5 -o=jsonpath={.spec.securityContext.seLinuxOptions.type}test-selinux-recording-nginx-0_nginx-secure.process