Uploaded image for project: 'OpenShift BuildConfig'
  1. OpenShift BuildConfig
  2. OCPBUILD-50

Tech Preview - User Namespace Builds

    XMLWordPrintable

Details

    • Epic
    • Resolution: Won't Do
    • Major
    • None
    • None
    • None
    • Tech Preview - Unprivileged Builds
    • Done
    • OCPPLAN-4518 - Builds with reduced privileges
    • 100
    • 100% 100%

    Description

      Goal: Allow builds to be run within a user-namespaced container by default. This means that the build runs as a non-root user from the host's perspective.

      Problem:

      • OpenShift builds require an elevated set of capabilities to build a container image.
      • Builds need to run as root within the container to maintain adequate performance for actions such as setting up overlay filesystems and creating sub-uid/gid mappings.
      • Container workloads should run as non-root from the host's perspective.

      Why is this important?

      Running root containers without user namespaces increases the attack surface of a cluster. A vulnerability (or set of vulnerabilities) in the stack could compromise the host node or entire cluster.

      Dependencies

      1. Buildah supports running without privileged: true in a container
      2. CRI-O allows workloads to opt into running containers in user namespaces

      Stories and Deliverables

      1. Build Annotations
      2. BuildDefaults and BuildOverrides for Build Annotations
      3. Verify Builds with User Namespaces Annotation

      Estimate: M

      Previous Work:

      recently did an r & d experiment with removing the privileged bit with https://github.com/openshift/openshift-controller-manager/pull/156

      also, https://github.com/openshift/builder/pull/202 will have some bearing on things, as if I (Gabe) understood nalind  correctly,

      to date the buildah/podman team has not run OCI isolation successfully from an unprivileged pod.

       

      User Stories:

      As an OpenShift cluster admin
      I want builds to run in user namespaces
      So that I can comply with security policies that block containers running as root on the node

      Success Criteria:

      • Builds run as non-root from the node's perspective
      • Developers can add annotations to a Build/BuildConfig, and those annotations are passed to the build.

      Open Questions:

      • If a build is run in a user namespace, does the container require the same set of capabilities as a container running as root?

      Attachments

        Issue Links

          depends on

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. OCPBUILD-44 Dev Preview - User Namespace Builds

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is blocked by

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. OCPBUILD-44 Dev Preview - User Namespace Builds

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is documented by

          Task - Represents a small unit of work that is not end-user facing. RHDEVDOCS-3848 Document "Builds in user namespaces", aka "unprivileged builds", as a TP feature

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. OCPNODE-683 Create MCO drop-in for user namespace workload

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/builder#220: unprivileged: add CLI options for isolation and storage

          Activity

            People

              rhn-engineering-nalin Nalin Dahyabhai
              ssadeghi@redhat.com Siamak Sadeghianfar
              Jitendar Singh Jitendar Singh
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty