-
Feature
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
33% To Do, 0% In Progress, 67% Done
-
0
Feature Overview
Running containers as root is considered a high security risk because if user breaks out of the container, they would have root privileges on the node and therefore OpenShift does not allow running containers as root by default. buildah which is used on OpenShift for building images, requires to run as root and therefore requires exceptions to the "no root containers" security constraint and is considered a security concerns for customers.
With the introduction of user namespaces in Kubernetes, the "no root containers" while still applies, should be explained more accurately that it applies to running root on the host. For a container that runs in the user namespace, "root" could be allowed while maintaining platform security since container won't be root on the host that it runs on. Therefore, image builds (buildah) should take advantage of user namespace in order to maintain the same security posture that applies to pods by default outside the user namespaces.
Goals
Enable any authenticated user on OpenShift to build images on the cluster through use of user namespaces without requiring them to make modifications to the default service accounts and default security context constrains available in each namespace.
Requirements
Requirement | Notes | isMvp? |
---|---|---|
Any authenticated user on OpenShift can build images using buildah on the cluster with the default service account and default SCCs available in the user namespace | YES | |
The default service account and SCC used for image builds in the user namespce is as secure as the "restricted" SCC | YES | |
Tekton Pipelines do not require any special service account and modifications to the security context constrain in order to use buildah for image builds | YES | |
Dockerfiles that successfully build on the platform when buildah runs as root and anyuid SCC, continue to build successfully with the default user-namespace-aware SCC | YES | |
Dockerfiles that successfully build on the platform when buildah runs as a privileged container, continue to build successfully with the default user-namespace-aware SCC |
Background, and strategic fit
- Running containers as root is considered a high security risk because if user breaks out of the container, they would have root privileges on the node.
- OpenShift by default does not allow containers to run as root on the platform and is marketed as the “secure by default” platform compared to other Kubernetes distros
- Image builds on OpenShift (classic BuildConfigs, Tekton Pipelines, Shipwright, etc) use buildah for building images from a Dockerfile which needs to run as root for the widest support for Dockerfiles
- We have in the past prioritised UX over security and treated image builds exceptions to the “containers can’t run as root” rule in order to enable users to build images on the platform
- BuildConfigs pods run with the builder service account to enable buildah to run as root
- Pipelines use the pipeline service account and a custom SCC similar to anyuid to enable buildah to run as root
- As a result, image builds are not considered to meet the same bar as the platform and some customers go as far as preventing their users from building images on the platform
- Building images on OpenShift should follow the default security constraints that applies to all pods (restricted SCC) while being aware of the user namespaces
Assumptions
- TBD
Customer Considerations
- Ford is one of the larger OpenShift customers that requires this in order to success in establishing OpenShift platform against GCP
Notes
- What are the cases where buildah would fail in user namespaces?
- Using an id which is more than 65k
- is blocked by
-
OCPSTRAT-207 TP in 4.17 : Support User Namespaces in pods
- Closed
- relates to
-
RFE-3267 Leverage rootless containers inside of a pod without additional privileges for running and building container images without additional access (and without running as root).
- Under Review
-
RFE-3266 Leverage /dev/fuse in unprivileged containers within OpenShift
- Accepted
-
OCPSTRAT-207 TP in 4.17 : Support User Namespaces in pods
- Closed