Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-543

[4.9] capabilities are not honored

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 4.9.z
    • 4.10
    • Node / CRI-O
    • None
    • Important
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:
      When capabilities are not honored on some versions.

      Version-Release number of selected component (if applicable):

      from my testings:

      4.10.24 - OVNKubernetes: Failed

      How reproducible:
      always on those verions

      Steps to Reproduce:
      1. run the script
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      $ cat test.sh
      oc new-project capabilities
      oc create sa test
      oc adm policy add-scc-to-user privileged -z test
      oc get clusterrolebindings system:openshift:scc:privileged -o wide
      echo enter to create a deployment; read a
      cat << EOF | oc create -f -
      apiVersion: apps/v1
      kind: Deployment
      metadata:
      name: testpod
      namespace: capabilities
      spec:
      selector:
      matchLabels:
      app: testpod
      template:
      metadata:
      labels:
      app: testpod
      spec:
      containers:

      • image: registry.redhat.io/openshift4/cnf-tests-rhel8
        imagePullPolicy: IfNotPresent
        name: dk-container1
        command: ['sh', '-c', 'echo _____ app is running! && sleep 3600']
        securityContext:
        capabilities:
        add:
      • NET_ADMIN
      • NET_RAW
      • DAC_READ_SEARCH
      • IPC_LOCK
      • SYS_MODULE
      • SYS_RAWIO
      • SYS_PTRACE
      • SYS_ADMIN
      • SYS_NICE
      • SYS_TIME
      • SYS_TTY_CONFIG
      • SYS_RESOURCE
      • SYS_CHROOT
      • SETFCAP
        securityContext:
        fsGroup: 2001
        runAsGroup: 2001
        runAsUser: 2101
        serviceAccount: test
        serviceAccountName: test
        EOF
        while $(! oc get pods | grep testpod | grep Running &> /dev/null); do echo wait for pod to be Running; sleep 15;done
        echo capabilities:
        oc exec -ti `oc get pods -o name` – getpcaps 1
      1. bash test.sh
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      Actual results:
      Capabilities are not displayed

      Expected results:
      Capabilities should be displayed
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      Capabilities for `1': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_setfcap+i
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

      Additional info:

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-542 [4.10] capabilities are not honored

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              pehunt@redhat.com Peter Hunt
              pehunt@redhat.com Peter Hunt
              Sunil Choudhary Sunil Choudhary
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: