Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Major
Fix Version/s: None
Affects Version/s: 4.20
Component/s: Node / Kubelet
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
None
Architecture:

x86_64

Target Backport Versions:
None
Target Version:
None
Release Blocker:
Proposed
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    The scc validation failed when creating a pod with user namespace as non-admin user

Version-Release number of selected component (if applicable):

    4.20.0-0.ci-2025-08-12-232211

How reproducible:

always

Steps to Reproduce:

    1. create a custom scc as following:

 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
 allowPrivilegeEscalation: true // set it true
 allowPrivilegedContainer: false
 allowedCapabilities:
 - NET_BIND_SERVICE
 apiVersion: security.openshift.io/v1
 defaultAddCapabilities: null
 fsGroup:
   type: MustRunAs
   ranges: //set the ranges [0,65534]
   - min: 0
     max: 65534
 groups: []
 kind: SecurityContextConstraints
 metadata:
   annotations:
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
     kubernetes.io/description: restricted-v2 denies access to all host features and
       requires pods to be run with a UID, and SELinux context that are allocated to
       the namespace. This is the most restrictive SCC and it is used by default for
       authenticated users. On top of the legacy 'restricted' SCC, it also requires
       to drop ALL capabilities and does not allow privilege escalation binaries. It
       will also default the seccomp profile to runtime/default if unset, otherwise
       this seccomp profile is required.
   creationTimestamp: "2025-06-25T07:58:43Z"
   generation: 1
   name: nested-podman
 priority: null
 readOnlyRootFilesystem: false
 requiredDropCapabilities: //not set it
 runAsUser:
   type: MustRunAsRange
   ranges:
   - min: 0
     max: 65534
 seLinuxContext:
   type: MustRunAs
   seLinuxOptions:
     type: container_engine_t //set it container_engine_t  seccompProfiles:
 - runtime/default
 supplementalGroups:
   type: MustRunAs
   ranges:
   - min: 0
     max: 65534
 userNamespaceLevel: RequirePodLevel // set it RequirePodLevel
 users: [ testuser-49 ] //set the user name testuser-49
 volumes:
 - configMap
 - csi
 - downwardAPI
 - emptyDir
 - ephemeral
 - persistentVolumeClaim
 - projected
 - secret

    2.add the scc to the non-admin user testuser-49
% oc adm policy add-scc-to-user nested-podman testuser-49

    3. login the cluster as non-admin user testuser-49
% oc login -u testuser-49 -p XXX
Login successful.

    4. create a new project
% oc new-project podman-demo

    5. edit the ns podman-demo as admin user (set "0/65534" for openshift.io/sa.scc.uid-range and openshift.io/sa.scc.supplemental-groups)

# oc get ns podman-demo -o yaml
 apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
     openshift.io/description: ""
     openshift.io/display-name: ""
     openshift.io/requester: testuser-49
     openshift.io/sa.scc.mcs: s0:c27,c19
     openshift.io/sa.scc.supplemental-groups: 0/65534
     openshift.io/sa.scc.uid-range: 0/65534
     security.openshift.io/MinimallySufficientPodSecurityStandard: baseline
   creationTimestamp: "2025-08-14T07:09:40Z"
....

    6. create a pod as user testuser-49 (set seLinuxOptions.level the same value as it in ns podman-demo):

 apiVersion: v1
 kind: Pod
 metadata:
   name: nested-podman-1
   annotations:
     io.kubernetes.cri-o.Devices: "/dev/fuse,/dev/net/tun"
     openshift.io/scc: nested-podman
 spec:
   hostUsers: false # user namespace
   containers:
   - name: nested-podman
     image: docker.io/lyman9966/baseline-nested-container:v1.0
     args:
     - sleep
     - "1000000"
     securityContext:
       runAsUser: 1000
       seLinuxOptions:
         type: "container_engine_t"
         level: "s0:c27,c19" 
       procMount: Unmasked
       capabilities:
         add:
         - "NET_BIND_SERVICE"

Actual results:

    6. The pod can't be created, the scc validation failed: 
provider nested-podman: .containers[0].seLinuxOptions.type: Invalid value: "container_engine_t": must be ,

the prompt : 
Error from server (Forbidden): error when creating "pod-user-namespace-demo.yaml": pods "nested-podman-1" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .containers[0].seLinuxOptions.type: Invalid value: "container_engine_t": must be , provider "restricted-v3": Forbidden: not usable by user or serviceaccount, provider "restricted": Forbidden: not usable by user or serviceaccount, provider nested-podman: .containers[0].seLinuxOptions.type: Invalid value: "container_engine_t": must be , provider "nested-container": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid-v2": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "insights-runtime-extractor-scc": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]

Expected results:

    6. the pod can be created successfully

Additional info:

    In step 6, the pod can be created successfully as admin user, but run podman command failed with error inside the container:
"locks in /libpod_rootless_lock_1000: permission denied" 
(I also try using the image "quay.io/cgruver0/che/ocp-4-17-userns-tp:latest" from your demo: https://asciinema.org/a/721318, but it also hit this error)

# oc exec -it pod/nested-podman-2 -- /bin/bash
[podman@nested-podman-2 podman]$ id 
uid=1000(podman) gid=1000(podman) groups=1000(podman)

[podman@nested-podman-2 podman]$ podman ps -a 
Error: failed to open 2048 locks in /libpod_rootless_lock_1000: permission denied

Assignee:: Node Team Bot Account

Reporter:: Min Li

QA Contact:: Min Li

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/08/14 12:58 PM

Updated:: 2025/08/20 2:44 PM

Resolved:: 2025/08/20 2:44 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates