Loading...

XML

Word

Printable

Type: Bug
Resolution: Can't Do
Priority: Major
Fix Version/s: None
Affects Version/s: 4.14.z, 4.15.z, 4.17.z, 4.16.z, 4.18.z
Component/s: LCA operator
Labels:

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

RH Private Keywords:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

We have identified that the pod lifecycle-agent-controller-manager, in openshift-lifecycle-agent namespace, is configured with a hostPath volume mounted with read-write (RW) access. The following mount was observed:
Mount Path: / → Host Path: / (Access Type: RW)

This configuration is a violation of Kubernetes and industry-standard security best practices, as explicitly stated in the Kubernetes documentation:
🔗 https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

Using a hostPath with RW permissions—especially one that mounts the root of the host filesystem (/)—introduces significant security risks. This includes potential unauthorized modification of host-level files, privilege escalation, and bypassing of container isolation guarantees.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Check the pods in openshift-lifecycle-agent project
2. Open yaml of lifecycle-agent-controller-manager pod
3. Check volumeMounts: 3. Check volumeMounts:
    - mountPath: /
4. Check access mode

Actual results:

The lifecycle-agent-controller-manager pod is deployed with a hostPath volume mounted with read-write (RW) access to the host root directory (/). This exposes the entire host filesystem to the container with elevated permissions.
There is currently no supported mechanism or operator-level control to modify this pod spec, restrict the scope of the mount, or enforce readOnly: true for improved security posture.

Expected results:

We request one of the following actions from the OpenShift product team:
-- Check if we can replace RW hostPath mounts with read-only equivalents wherever feasible.
-- Refactor the pod to scope hostPath access only to specific files or subdirectories, with minimal privilege.
-- Provide an officially supported method or operator to manage these mounts securely.
-- Ensure alignment with Pod Security Standards in future releases.

Additional info:

Security Concerns : 
RW hostPath mounts to the root (/) are particularly risky as they grant broad access to the node filesystem and can lead to privilege escalation or accidental modification of host resources.

This issue is similar to OCPBUGS-55234, which reported the same pattern in the kube-rbac-proxy-crio container under openshift-machine-config-operator. A broader audit may be required to identify and address other components with similar configurations.

relates to

OCPBUGS-55234 RW hostPath mount in kube-rbac-proxy-crio static pod violates best practices in RHOCP4

Closed

Assignee:: Jun Chen

Reporter:: Suruchi Dharma

Need Info From:: Camila Macedo, Jun Chen

Contributors:: None

QA Contact:: Sergio Regidor de la Rosa

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 2025/04/25 9:06 AM

Updated:: 2025/09/13 2:23 PM

Resolved:: 2025/05/14 4:31 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide