-
Epic
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
Minimum privileges for OVNController pod processes
-
False
-
-
False
-
Proposed
-
Proposed
-
To Do
-
Proposed
-
Proposed
-
100% To Do, 0% In Progress, 0% Done
-
-
OVNController CRD controller spawns pods via DaemonSet that are privileged, run as root, and require additional capabilities (NET_ADMIN, SYS_ADMIN, SYS_RESOURCE). This bears risks to security of the cluster, and we should minimize the risk surface where possible.
Note: OVNNorthd and OVNDbCluster pods are not privileged. This Epic applies to OVNController pods only, and - to be even more clear - to ovn-controller processes running in pods (on OCP nodes via OpenShift), not to EDP nodes (where bare podman is used, and where ovs-vswitchd is running on hypervisor.
Definition of Done:
- ovn-controller is running in unprivileged container
- scc!=privileged, user!=root,capabilities are default
- ovsdb-server is running in unprivileged container
- scc!=privileged, user!=root,capabilities are default
- prior work done for OVNDbCluster CRD controller suggests that scc=restricted-v2 should work for ovsdb-server
- configJob that configures vswitchd local ovsdb-server is running in unprivileged container
Note: ovs-vswitchd may still run as privileged. This service manipulates interfaces and hence has a different security profile.
- is related to
-
OSPRH-1932 Split ovn-controller into a separate pod from vswitchd/ovsdb-server
-
- Closed
-
-
OSPRH-676 [ovn-operator] Remove unnecessary privileges from ovn-controller pods
-
- Closed
-
