Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-852

oc debug requires a user to create a namespace with specific security labels

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Done
    • 4.12
    • None
    • oc
    • None
    • ?
    • Hide

      None

      Show
      None
    • Hide
      The {product-title} {product-version} release fixes an issue with entering a debug session on a target node when the target namespace lacks the appropriate security level. This caused the `oc` CLI to prompt you with a pod security error message.

      If the existing namespace does not contain the appropriate security levels, {product-title} now creates a temporary namespace when you enter `oc` debug mode on a target node.

      (link:https://issues.redhat.com/browse/OCPBUGS-852[*OCPBUGS-852*])
      Show
      The {product-title} {product-version} release fixes an issue with entering a debug session on a target node when the target namespace lacks the appropriate security level. This caused the `oc` CLI to prompt you with a pod security error message. If the existing namespace does not contain the appropriate security levels, {product-title} now creates a temporary namespace when you enter `oc` debug mode on a target node. (link: https://issues.redhat.com/browse/OCPBUGS-852 [* OCPBUGS-852 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      When a user tries to run `oc debug,` they end up getting errors about pod security labels:

       Ensure the target namespace has the appropriate security level set or consider creating a dedicated privileged namespace using:
      	"oc create ns <namespace> -o yaml | oc label -f - security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged".
      Original error:
      pods "ip-10-0-129-209ec2internal-debug" is forbidden: violates PodSecurity "restricted:latest": host namespaces (hostNetwork=true, hostPID=true, hostIPC=true), privileged (container "container-00" must not set securityContext.privileged=true), allowPrivilegeEscalation != false (container "container-00" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "container-00" must set securityContext.capabilities.drop=["ALL"]), restricted volume types (volume "host" uses restricted volume type "hostPath"), runAsNonRoot != true (pod or container "container-00" must set securityContext.runAsNonRoot=true), runAsUser=0 (container "container-00" must not set runAsUser=0), seccompProfile (pod or container "container-00" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
      command failed, 3 retries left
      

      This happens since https://docs.openshift.com/container-platform/4.11/authentication/understanding-and-managing-pod-security-admission.html

      Fixing it requires the user running something like

      oc create ns fips-check -o yaml | \
        oc label -f - \
        security.openshift.io/scc.podSecurityLabelSync=false \
        pod-security.kubernetes.io/enforce=privileged \
        pod-security.kubernetes.io/audit=privileged \
        pod-security.kubernetes.io/warn=privileged
      
      Version-Release number of selected component (if applicable):

      4.12

      How reproducible:

      Always

      Steps to Reproduce:

      1. Try to run `oc debug node/....` in a new namespace

      Actual results:

      Error message

      Expected results:

      oc debug works without the user having to perform additional steps. If namespace is omitted, perhaps oc debug could create a temporary one with the correct pod security labels?

      Additional info:
      
      

      Attachments

        Issue Links

          Activity

            People

              aguclu@redhat.com Arda Guclu
              stbenjam Stephen Benjamin
              ying zhou ying zhou
              Darragh Fitzmaurice Darragh Fitzmaurice
              Votes:
              2 Vote for this issue
              Watchers:
              17 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: