-
Epic
-
Resolution: Won't Do
-
Major
-
None
-
None
-
None
-
Tech Preview - Unprivileged Builds
-
Done
-
OCPPLAN-4518 - Builds with reduced privileges
-
0% To Do, 0% In Progress, 100% Done
Goal: Allow builds to be run within a user-namespaced container by default. This means that the build runs as a non-root user from the host's perspective.
Problem:
- OpenShift builds require an elevated set of capabilities to build a container image.
- Builds need to run as root within the container to maintain adequate performance for actions such as setting up overlay filesystems and creating sub-uid/gid mappings.
- Container workloads should run as non-root from the host's perspective.
Why is this important?
Running root containers without user namespaces increases the attack surface of a cluster. A vulnerability (or set of vulnerabilities) in the stack could compromise the host node or entire cluster.
Dependencies
- Buildah supports running without privileged: true in a container
- CRI-O allows workloads to opt into running containers in user namespaces
Stories and Deliverables
- Build Annotations
- BuildDefaults and BuildOverrides for Build Annotations
- Verify Builds with User Namespaces Annotation
Estimate: M
Previous Work:
recently did an r & d experiment with removing the privileged bit with https://github.com/openshift/openshift-controller-manager/pull/156
also, https://github.com/openshift/builder/pull/202 will have some bearing on things, as if I (Gabe) understood nalind correctly,
to date the buildah/podman team has not run OCI isolation successfully from an unprivileged pod.
User Stories:
As an OpenShift cluster admin
I want builds to run in user namespaces
So that I can comply with security policies that block containers running as root on the node
Success Criteria:
- Builds run as non-root from the node's perspective
- Developers can add annotations to a Build/BuildConfig, and those annotations are passed to the build.
Open Questions:
- If a build is run in a user namespace, does the container require the same set of capabilities as a container running as root?
- depends on
-
OCPBUILD-44 Dev Preview - User Namespace Builds
- Closed
- is blocked by
-
OCPBUILD-44 Dev Preview - User Namespace Builds
- Closed
- is documented by
-
RHDEVDOCS-3848 Document "Builds in user namespaces", aka "unprivileged builds", as a TP feature
- Closed
- relates to
-
OCPNODE-683 Create MCO drop-in for user namespace workload
- Closed
- links to