Run Builds Without Privileged Pods

Goal: Minimize the permissions needed to run OpenShift builds

Problem: OpenShift builds use the privileged: true security context, which bypasses standard RHEL security features like SELinux and AppArmor.

Why is this important?

The expanded permissions granted to OpenShift builds apply to the build controller and the builder service account. These can be abused and lead to privilege escalations (say due to a known CVE).

Dependencies

1. Buildah supports running without privileged: true in a container

Stories and Deliverables

1. Update builds to run without priveleged: true containers
2. Reduce the permissions granted to the build controller and the builder service account

Estimate: M

Previous Work:

recently did an r & d experiment with removing the privileged bit with https://github.com/openshift/openshift-controller-manager/pull/156

also, https://github.com/openshift/builder/pull/202 will have some bearing on things, as if I (Gabe) understood rhn-engineering-nalin  correctly,

to date the buildah/podman team has not run OCI isolation successfully from an unprivileged pod.

User Stories:

As an OpenShift cluster admin
I want builds to run without privileged: true containers
So that I can comply with security policies that ban privileged containers.

Success Criteria:

• Builds run without using privileged: true containers
• The build controller and builder service account use minimal privileges to run successful builds.

Open Questions:

• Should developers be allowed to restore the "privileged" build mode? For instance - if devs see build times increase significantly because we're using the VFS storage driver and are not privileged, they may want to be able to go back and accept a riskier build process.