-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.20
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
x86_64
-
None
-
None
-
Proposed
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
The scc validation failed when creating a pod with user namespace as non-admin user
Version-Release number of selected component (if applicable):
4.20.0-0.ci-2025-08-12-232211
How reproducible:
always
Steps to Reproduce:
1. create a custom scc as following:
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true // set it true
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
ranges: //set the ranges [0,65534]
- min: 0
max: 65534
groups: []
kind: SecurityContextConstraints
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
kubernetes.io/description: restricted-v2 denies access to all host features and
requires pods to be run with a UID, and SELinux context that are allocated to
the namespace. This is the most restrictive SCC and it is used by default for
authenticated users. On top of the legacy 'restricted' SCC, it also requires
to drop ALL capabilities and does not allow privilege escalation binaries. It
will also default the seccomp profile to runtime/default if unset, otherwise
this seccomp profile is required.
creationTimestamp: "2025-06-25T07:58:43Z"
generation: 1
name: nested-podman
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: //not set it
runAsUser:
type: MustRunAsRange
ranges:
- min: 0
max: 65534
seLinuxContext:
type: MustRunAs
seLinuxOptions:
type: container_engine_t //set it container_engine_t seccompProfiles:
- runtime/default
supplementalGroups:
type: MustRunAs
ranges:
- min: 0
max: 65534
userNamespaceLevel: RequirePodLevel // set it RequirePodLevel
users: [ testuser-49 ] //set the user name testuser-49
volumes:
- configMap
- csi
- downwardAPI
- emptyDir
- ephemeral
- persistentVolumeClaim
- projected
- secret
2.add the scc to the non-admin user testuser-49
% oc adm policy add-scc-to-user nested-podman testuser-49
3. login the cluster as non-admin user testuser-49
% oc login -u testuser-49 -p XXX
Login successful.
4. create a new project
% oc new-project podman-demo
5. edit the ns podman-demo as admin user (set "0/65534" for openshift.io/sa.scc.uid-range and openshift.io/sa.scc.supplemental-groups)
# oc get ns podman-demo -o yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/description: ""
openshift.io/display-name: ""
openshift.io/requester: testuser-49
openshift.io/sa.scc.mcs: s0:c27,c19
openshift.io/sa.scc.supplemental-groups: 0/65534
openshift.io/sa.scc.uid-range: 0/65534
security.openshift.io/MinimallySufficientPodSecurityStandard: baseline
creationTimestamp: "2025-08-14T07:09:40Z"
....
6. create a pod as user testuser-49 (set seLinuxOptions.level the same value as it in ns podman-demo):
apiVersion: v1
kind: Pod
metadata:
name: nested-podman-1
annotations:
io.kubernetes.cri-o.Devices: "/dev/fuse,/dev/net/tun"
openshift.io/scc: nested-podman
spec:
hostUsers: false # user namespace
containers:
- name: nested-podman
image: docker.io/lyman9966/baseline-nested-container:v1.0
args:
- sleep
- "1000000"
securityContext:
runAsUser: 1000
seLinuxOptions:
type: "container_engine_t"
level: "s0:c27,c19"
procMount: Unmasked
capabilities:
add:
- "NET_BIND_SERVICE"
Actual results:
6. The pod can't be created, the scc validation failed:
provider nested-podman: .containers[0].seLinuxOptions.type: Invalid value: "container_engine_t": must be ,
the prompt :
Error from server (Forbidden): error when creating "pod-user-namespace-demo.yaml": pods "nested-podman-1" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].seLinuxOptions.type: Invalid value: "container_engine_t": must be , provider "restricted-v3": Forbidden: not usable by user or serviceaccount, provider "restricted": Forbidden: not usable by user or serviceaccount, provider nested-podman: .containers[0].seLinuxOptions.type: Invalid value: "container_engine_t": must be , provider "nested-container": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid-v2": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "insights-runtime-extractor-scc": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
Expected results:
6. the pod can be created successfully
Additional info:
In step 6, the pod can be created successfully as admin user, but run podman command failed with error inside the container:
"locks in /libpod_rootless_lock_1000: permission denied"
(I also try using the image "quay.io/cgruver0/che/ocp-4-17-userns-tp:latest" from your demo: https://asciinema.org/a/721318, but it also hit this error)
# oc exec -it pod/nested-podman-2 -- /bin/bash
[podman@nested-podman-2 podman]$ id
uid=1000(podman) gid=1000(podman) groups=1000(podman)
[podman@nested-podman-2 podman]$ podman ps -a
Error: failed to open 2048 locks in /libpod_rootless_lock_1000: permission denied
