Uploaded image for project: 'OpenShift BuildConfig'
  1. OpenShift BuildConfig
  2. OCPBUILD-29

Run Builds Without Privileged Pods


    • Icon: Epic Epic
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • openshift-4.10
    • None
    • Run Builds Without Privileged Pods
    • Done

      Goal: Minimize the permissions needed to run OpenShift builds

      Problem: OpenShift builds use the privileged: true security context, which bypasses standard RHEL security features like SELinux and AppArmor.

      Why is this important?

      The expanded permissions granted to OpenShift builds apply to the build controller and the builder service account. These can be abused and lead to privilege escalations (say due to a known CVE).


      1. Buildah supports running without privileged: true in a container

      Stories and Deliverables

      1. Update builds to run without priveleged: true containers
      2. Reduce the permissions granted to the build controller and the builder service account

      Estimate: M

      Previous Work:

      recently did an r & d experiment with removing the privileged bit with https://github.com/openshift/openshift-controller-manager/pull/156

      also, https://github.com/openshift/builder/pull/202 will have some bearing on things, as if I (Gabe) understood rhn-engineering-nalin  correctly,

      to date the buildah/podman team has not run OCI isolation successfully from an unprivileged pod.


      User Stories:

      As an OpenShift cluster admin
      I want builds to run without privileged: true containers
      So that I can comply with security policies that ban privileged containers.

      Success Criteria:

      • Builds run without using privileged: true containers
      • The build controller and builder service account use minimal privileges to run successful builds.

      Open Questions:

      • Should developers be allowed to restore the "privileged" build mode? For instance - if devs see build times increase significantly because we're using the VFS storage driver and are not privileged, they may want to be able to go back and accept a riskier build process.

            Unassigned Unassigned
            ssadeghi@redhat.com Siamak Sadeghianfar
            xiujuan wang xiujuan wang
            0 Vote for this issue
            5 Start watching this issue