Description of problem: Upstream is turning ephemeralContainers on in kubernetes 1.23. SCC admission is currently unaware of that field which means that users could create privileged containers at will without required privileges. Version-Release number of selected component (if applicable): 4.10 How reproducible: 100% (once we rebase on 1.23) Steps to Reproduce: 1. create a pod with a privileged ephemeral container (https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/) as a user that's not allowed to create privileged containers Actual results: User is allowed to do 1. Expected results: User should not be allowed to do 1. Additional info:
Yash, this needs add a QE test case. After fixed / verified, pls help add one test case for it (ask me to peer review) (and attach the test case in this bug then remove the keyword being added). Thanks
moving to post, we'll still have to bump this in o/k and wait for the rebase in order to be able to test it
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
The fixed apiserver-library-go was merged to o/k master as a part of https://github.com/openshift/kubernetes/pull/1087
Verified on 4.10.0-0.nightly-2022-01-17-223655 Steps: Create a project and try to create a privileged ephemeral container with a user that is not allowed to create privileged containers 1. oc new-project <project> 2. oc create -f <<EOF apiVersion: v1 kind: Pod metadata: name: ephemeral-demo spec: containers: - image: k8s.gcr.io/pause:3.1 imagePullPolicy: IfNotPresent name: ephemeral-demo resources: {} securityContext: capabilities: drop: - KILL - MKNOD - SETGID - SETUID runAsUser: 1000650000 ephemeralContainers: - name: ephemeral-demo-debug image: busybox securityContext: privileged: true EOF Expected: Unable to create container with error provider "nonroot": Forbidden: not usable by user or serviceaccount, spec.ephemeralContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed Found: Unable to create container with error provider "nonroot": Forbidden: not usable by user or serviceaccount, spec.ephemeralContainers[0].securityContext.privileged: Invalid value: true: Privileged containers are not allowed
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056