Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: 4.21
Affects Version/s: 4.21
Component/s: kube-apiserver
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.21
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

runAsUser/runAsGroup not behaving to the expected range values in user namespaces

Version-Release number of selected component (if applicable):

4.21.0-0.nightly-2025-11-03-191704

How reproducible:

Always

Steps to Reproduce:

1. Install AWS/GCP/Azure cluster
2. Create newproject and do deployment as mentioned below.
3. Check the status of deployment

// Deployment Behavior with Different UID/GID Values
Parameter       Value   Deployment Status       Error Message / Notes

runAsUser       1000    ✅ Works        Minimum allowed value for restricted-v3 SCC
runAsUser       65534   ✅ Works        Maximum allowed value for restricted-v3 SCC
runAsUser       65535   ❌ Fails        Invalid value: 65535: must be in the ranges: [1000, 65534]
runAsUser       999     ❌ Fails        Invalid value: 999: must be in the ranges: [1000, 65534]

runAsGroup      1000    ✅ Works        Minimum allowed value for restricted-v3 SCC
runAsGroup      65535   ✅ Works        Maximum allowed value for restricted-v3 SCC
runAsGroup      65536   ❌ Fails        deployment does not have minimum availability.
runAsGroup      999     ✅ Works        No error message, as it is working successfully

// deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-invalid-user-test-65535
  namespace: testropatil
  annotations:
    openshift.io/required-scc: restricted-v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: testing
  template:
    metadata:
      labels:
        app: testing
      annotations:
        openshift.io/required-scc: restricted-v3
    spec:
      hostUsers: false
      securityContext:
        runAsUser: 65535  # This allows only till 65534 for user namespaces
        runAsGroup: 1000
        fsGroup: 1000
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: testing
        image: ubuntu
        command: ["/bin/sleep"]
        args: ["3600"]
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-valid-user-test-65534
  namespace: testropatil
  annotations:
    openshift.io/required-scc: restricted-v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: testing
  template:
    metadata:
      labels:
        app: testing
      annotations:
        openshift.io/required-scc: restricted-v3
    spec:
      hostUsers: false
      securityContext:
        runAsUser: 65534  # This allows only till 65534 for user namespaces
        runAsGroup: 1000
        fsGroup: 1000
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: testing
        image: ubuntu
        command: ["/bin/sleep"]
        args: ["3600"]
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-valid-group-test-65535
  namespace: testropatil
  annotations:
    openshift.io/required-scc: restricted-v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: testing
  template:
    metadata:
      labels:
        app: testing
      annotations:
        openshift.io/required-scc: restricted-v3
    spec:
      hostUsers: false
      securityContext:
        runAsUser: 1000
        runAsGroup: 65535 # This allows till 65535 for user namespaces
        fsGroup: 1000
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: testing
        image: ubuntu
        command: ["/bin/sleep"]
        args: ["3600"]
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-invalid-group-test-65536
  namespace: testropatil
  annotations:
    openshift.io/required-scc: restricted-v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: testing
  template:
    metadata:
      labels:
        app: testing
      annotations:
        openshift.io/required-scc: restricted-v3
    spec:
      hostUsers: false
      securityContext:
        runAsUser: 1000
        runAsGroup: 65536 # This allows till 65535 for user namespaces
        fsGroup: 1000
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: testing
        image: ubuntu  # image: registry.redhat.io/ubi9/ubi
        command: ["/bin/sleep"]
        args: ["3600"]
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-invalid-user-test-999
  namespace: testropatil
  annotations:
    openshift.io/required-scc: restricted-v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: testing
  template:
    metadata:
      labels:
        app: testing
      annotations:
        openshift.io/required-scc: restricted-v3
    spec:
      hostUsers: false
      securityContext:
        runAsUser: 999
        runAsGroup: 1000 # This allows till 65535 for user namespaces
        fsGroup: 1000
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: testing
        image: ubuntu  # image: registry.redhat.io/ubi9/ubi
        command: ["/bin/sleep"]
        args: ["3600"]
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"] 
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: deployment-valid-group-test-999
  namespace: testropatil
  annotations:
    openshift.io/required-scc: restricted-v3
spec:
  replicas: 1
  selector:
    matchLabels:
      app: testing
  template:
    metadata:
      labels:
        app: testing
      annotations:
        openshift.io/required-scc: restricted-v3
    spec:
      hostUsers: false
      securityContext:
        runAsUser: 1000
        runAsGroup: 999 # This allows till 65535 for user namespaces
        fsGroup: 1000
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault
      containers:
      - name: testing
        image: ubuntu  # image: registry.redhat.io/ubi9/ubi
        command: ["/bin/sleep"]
        args: ["3600"]
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]

Actual results:

In Usernamespaces 

runAsUser max/min tested working end range value it is considering as: 65534/1000
runAsGroup max/min tested working end range value it is considering as: 65535/999, Not tested below values(0-998)

Expected results:

We need to consider runAsUser max range value to 65535 or we need to consider runAsGroup max range value to 65534.
With runAsGroup: 999 the deployment should not work

Additional info:

oc new-project testropatil
oc create -f deployment.yaml 

// Check deployments
oc get deploy -n testropatil
NAME                                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment-invalid-group-test-65536   0/1     1            0           57m
deployment-invalid-user-test-65535    0/1     0            0           57m
deployment-invalid-user-test-999      0/1     0            0           2m56s
deployment-valid-group-test-65535     1/1     1            1           57m
deployment-valid-group-test-999       1/1     1            1           6s
deployment-valid-user-test-65534      1/1     1            1           57m

// Check pods oc get pods -n testropatil
NAME                                                   READY   STATUS                 RESTARTS        AGE
deployment-invalid-group-test-65536-75474b4bdf-hlrfg   0/1     CreateContainerError   0               3m8s
deployment-valid-group-test-65535-5bdb579d8b-6pgvf     1/1     Running                1 (8m17s ago)   68m
deployment-valid-group-test-999-68c45ffb69-kxlhx       1/1     Running                0               11m
deployment-valid-user-test-65534-66c6f6ffd5-xjhz5      1/1     Running                1 (8m17s ago)   68m

// Check the output yaml of valid deployments
oc get deploy/deployment-valid-user-test-65534 -n testropatil -o yaml
      securityContext:
        fsGroup: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        runAsUser: 65534
        seccompProfile:
          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2025-11-05T05:50:21Z"
    lastUpdateTime: "2025-11-05T05:50:21Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2025-11-05T05:50:19Z"
    lastUpdateTime: "2025-11-05T05:50:21Z"
    message: ReplicaSet "deployment-valid-user-test-65534-66c6f6ffd5" has successfully
      progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

oc get deploy/deployment-valid-group-test-65535 -n testropatil -o yaml
      securityContext:
        fsGroup: 1000
        runAsGroup: 65535
        runAsNonRoot: true
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2025-11-05T05:50:21Z"
    lastUpdateTime: "2025-11-05T05:50:21Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2025-11-05T05:50:19Z"
    lastUpdateTime: "2025-11-05T05:50:21Z"
    message: ReplicaSet "deployment-valid-group-test-65535-5bdb579d8b" has successfully
      progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1

oc get deploy/deployment-valid-group-test-999 -n testropatil -o yaml
      securityContext:
        fsGroup: 1000
        runAsGroup: 999
        runAsNonRoot: true
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2025-11-05T06:47:20Z"
    lastUpdateTime: "2025-11-05T06:47:20Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  - lastTransitionTime: "2025-11-05T06:47:18Z"
    lastUpdateTime: "2025-11-05T06:47:20Z"
    message: ReplicaSet "deployment-valid-group-test-999-68c45ffb69" has successfully
      progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  observedGeneration: 1
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1  

// Check the output yaml of invalid deployments
oc get deploy/deployment-invalid-user-test-65535 -n testropatil -o yaml
      securityContext:
        fsGroup: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        runAsUser: 65535
        seccompProfile:
          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
status:
  conditions:
  - lastTransitionTime: "2025-11-05T05:50:18Z"
    lastUpdateTime: "2025-11-05T05:50:18Z"
    message: Created new replica set "deployment-invalid-user-test-65535-76d99c87f6"
    reason: NewReplicaSetCreated
    status: "True"
    type: Progressing
  - lastTransitionTime: "2025-11-05T05:50:18Z"
    lastUpdateTime: "2025-11-05T05:50:18Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  - lastTransitionTime: "2025-11-05T05:50:18Z"
    lastUpdateTime: "2025-11-05T05:50:18Z"
    message: 'pods "deployment-invalid-user-test-65535-76d99c87f6-" is forbidden:
      unable to validate against any security context constraint: provider restricted-v3:
      .containers[0].runAsUser: Invalid value: 65535: must be in the ranges: [1000,
      65534]'
    reason: FailedCreate
    status: "True"
    type: ReplicaFailure
  observedGeneration: 1
  unavailableReplicas: 1

oc get deploy/deployment-invalid-group-test-65536 -n testropatil -o yaml
      hostUsers: false
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        fsGroup: 1000
        runAsGroup: 65536
        runAsNonRoot: true
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
status:
  conditions:
  - lastTransitionTime: "2025-11-05T05:50:19Z"
    lastUpdateTime: "2025-11-05T05:50:19Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  - lastTransitionTime: "2025-11-05T05:50:19Z"
    lastUpdateTime: "2025-11-05T05:50:19Z"
    message: ReplicaSet "deployment-invalid-group-test-65536-75474b4bdf" is progressing.
    reason: ReplicaSetUpdated
    status: "True"
    type: Progressing
  observedGeneration: 1
  replicas: 1
  unavailableReplicas: 1
  updatedReplicas: 1

oc get deploy/deployment-invalid-user-test-999 -n testropatil -o yaml
      securityContext:
        fsGroup: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        runAsUser: 999
        seccompProfile:
          type: RuntimeDefault
      terminationGracePeriodSeconds: 30
status:
  conditions:
  - lastTransitionTime: "2025-11-05T06:44:28Z"
    lastUpdateTime: "2025-11-05T06:44:28Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  - lastTransitionTime: "2025-11-05T06:44:28Z"
    lastUpdateTime: "2025-11-05T06:44:28Z"
    message: 'pods "deployment-invalid-user-test-999-5597b946ff-" is forbidden: unable
      to validate against any security context constraint: provider restricted-v3:
      .containers[0].runAsUser: Invalid value: 999: must be in the ranges: [1000,
      65534]'
    reason: FailedCreate
    status: "True"
    type: ReplicaFailure
  - lastTransitionTime: "2025-11-05T06:54:29Z"
    lastUpdateTime: "2025-11-05T06:54:29Z"
    message: ReplicaSet "deployment-invalid-user-test-999-5597b946ff" has timed out
      progressing.
    reason: ProgressDeadlineExceeded
    status: "False"
    type: Progressing
  observedGeneration: 1

Assignee:: Rohit Patil

Reporter:: Rohit Patil

Need Info From:: None

Contributors:: None

QA Contact:: Rohit Patil

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/11/05 6:24 AM

Updated:: 2025/11/11 10:03 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates