Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-1854

Allow dropping all capabilities by using keyword "all" in the container's securityContext

    XMLWordPrintable

Details

    • Feature Request
    • Resolution: Done
    • Undefined
    • openshift-4.8
    • None
    • Node
    • False
    • False
    • 0
    • 0% 0%
    • Undefined

    Description

      Back in OCP 3 days, when it used Docker as container runtime users could use "all" keyword to drop all capabilities of a given container. When OCP moved from Docker to CRI-O that feature was lost.

      If a user wants to drop all capabilities they need to know which ones are added by the runtime by default and append them as a list in the securityContext specification.

      This could be done by adding that list of capabilities to the SCC's requiredDrop, but again that's not convenient.

      There are customers that were using this feature back in the day and they keep configuring the deployable manifests with that "all" keyword, but now that's not working anymore.

      In this RFE we want to explore the possibility of bringing back such functionality so users can continue using the "all" keyword.

      More info in this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1931838

      Attachments

        Activity

          People

            gausingh@redhat.com Gaurav Singh
            mavazque@redhat.com Mario Vazquez Cebrian
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: