Uploaded image for project: 'OpenShift BuildConfig'
  1. OpenShift BuildConfig
  2. OCPBUILD-50

Tech Preview - User Namespace Builds

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • None
    • None
    • Tech Preview - Unprivileged Builds
    • Done
    • OCPPLAN-4518 - Builds with reduced privileges
    • 0% To Do, 0% In Progress, 100% Done

      Goal: Allow builds to be run within a user-namespaced container by default. This means that the build runs as a non-root user from the host's perspective.

      Problem:

      • OpenShift builds require an elevated set of capabilities to build a container image.
      • Builds need to run as root within the container to maintain adequate performance for actions such as setting up overlay filesystems and creating sub-uid/gid mappings.
      • Container workloads should run as non-root from the host's perspective.

      Why is this important?

      Running root containers without user namespaces increases the attack surface of a cluster. A vulnerability (or set of vulnerabilities) in the stack could compromise the host node or entire cluster.

      Dependencies

      1. Buildah supports running without privileged: true in a container
      2. CRI-O allows workloads to opt into running containers in user namespaces

      Stories and Deliverables

      1. Build Annotations
      2. BuildDefaults and BuildOverrides for Build Annotations
      3. Verify Builds with User Namespaces Annotation

      Estimate: M

      Previous Work:

      recently did an r & d experiment with removing the privileged bit with https://github.com/openshift/openshift-controller-manager/pull/156

      also, https://github.com/openshift/builder/pull/202 will have some bearing on things, as if I (Gabe) understood nalind  correctly,

      to date the buildah/podman team has not run OCI isolation successfully from an unprivileged pod.

       

      User Stories:

      As an OpenShift cluster admin
      I want builds to run in user namespaces
      So that I can comply with security policies that block containers running as root on the node

      Success Criteria:

      • Builds run as non-root from the node's perspective
      • Developers can add annotations to a Build/BuildConfig, and those annotations are passed to the build.

      Open Questions:

      • If a build is run in a user namespace, does the container require the same set of capabilities as a container running as root?

            rhn-engineering-nalin Nalin Dahyabhai
            rh-ee-ssadeghi Siamak Sadeghianfar
            Jitendar Singh Jitendar Singh
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: