Introduce new SCCs #5498
Introduce new SCCs #5498
Conversation
|
[test] |
| // SecurityContextConstraintNonRoot is used as the name for the system default non-root scc. | ||
| SecurityContextConstraintNonRoot = "nonroot" | ||
| // SecurityContextConstraintHostMount is used as the name for the system default host mount only scc. | ||
| SecurityContextConstraintHostMount = "hostmount" |
There was a problem hiding this comment.
Why is host mount useful? This is effectively root access on all nodes, why would you still try constrain nodes? This is effectively privileged.
There was a problem hiding this comment.
PV recycler pods need it and nothing else (afaik)
There was a problem hiding this comment.
This was specifically for the recycler
There was a problem hiding this comment.
Hrm - we could really use a description on this one...
On Thu, Oct 29, 2015 at 1:42 PM, Jordan Liggitt [email protected]
wrote:
In pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
#5498 (comment):@@ -9,12 +9,19 @@ const (
SecurityContextConstraintPrivileged = "privileged"
// SecurityContextConstraintRestricted is used as the name for the system default restricted scc.
SecurityContextConstraintRestricted = "restricted"
- // SecurityContextConstraintNonRoot is used as the name for the system default non-root scc.
- SecurityContextConstraintNonRoot = "nonroot"
- // SecurityContextConstraintHostMount is used as the name for the system default host mount only scc.
- SecurityContextConstraintHostMount = "hostmount"
PV recycler pods need it and nothing else (afaik)
—
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/5498/files#r43418964.
There was a problem hiding this comment.
We actually should have descriptions on all of these that describe exactly
what they do, and how insecure they are. Like giant warning kind of output.
On Thu, Oct 29, 2015 at 1:45 PM, Clayton Coleman [email protected]
wrote:
Hrm - we could really use a description on this one...
On Thu, Oct 29, 2015 at 1:42 PM, Jordan Liggitt [email protected]
wrote:In pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
#5498 (comment):@@ -9,12 +9,19 @@ const (
SecurityContextConstraintPrivileged = "privileged"
// SecurityContextConstraintRestricted is used as the name for the system default restricted scc.
SecurityContextConstraintRestricted = "restricted"
- // SecurityContextConstraintNonRoot is used as the name for the system default non-root scc.
- SecurityContextConstraintNonRoot = "nonroot"
- // SecurityContextConstraintHostMount is used as the name for the system default host mount only scc.
- SecurityContextConstraintHostMount = "hostmount"
PV recycler pods need it and nothing else (afaik)
—
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/5498/files#r43418964.
There was a problem hiding this comment.
The immediate need for this is our customer who has the single NFS mount on every single node and is using qtrees with netapp for capacity constraints. He just needed a local pointer to the directory for his PV, so we told him to use PV.HostPath. His alternative is to create many NFS PVs, which he was disinclined to do.
There was a problem hiding this comment.
That user can just create an SCC. Nothing special about these. Also, why does that user need host mount? The PV shouldn't need to go through the SCC.
There was a problem hiding this comment.
added better description comments and big ole warnings on ones that grant host accessing or privileged operations
There was a problem hiding this comment.
The recycler creates a pod that runs "rm -rf" on the volume. The pod has to mount the PV.
If we want to support the recycler making HostPath recycling pods, it needs this permission.
pweil-
force-pushed
the
addl-sccs
branch
2 times, most recently
from
a409fbb to
161f408
Compare
| // to be run with a UID, SELinux context, fs group, and supplemental groups that are | ||
| // allocated to the namespace. | ||
| // | ||
| // WARNING: this SCC allows host access to namespaces, file systems, and PIDS. It should only |
There was a problem hiding this comment.
By descriptions I meant annotations on the SCCs themselves (kubernetes.io/description). Doesn't do much good here for end users.
There was a problem hiding this comment.
lol, fail...adding annotations. No emoji for derp face... 8^/\ is the best I can do.
There was a problem hiding this comment.
Added as annotations. Didn't see a constant for description already so created a local constant. Non-derp face restored.
pweil-
force-pushed
the
addl-sccs
branch
2 times, most recently
from
2252a46 to
4a2ff60
Compare
|
Is there something users can run to reconcile these on an upgrade? |
|
LGTM [merge] |
|
Not yet, on our list |
openshift-bot
added
the
needs-rebase
|
Volume security SCCs beat this in. Will rebase first thing in the morning and add fsgroup/sup group strategies to this. |
|
@liggitt @smarterclayton - added fsgroup/sup group strats in the second commit if you could take a quick glance. The 'anyuid' and 'privileged' sccs allow you to run as any group, the rest are requiring or defaulting. If that's good I'll squash. |
|
Can you update the godoc real quick? |
pweil-
force-pushed
the
addl-sccs
branch
2 times, most recently
from
0e5f9db to
87bf28a
Compare
|
updated docs based on comment and added a godoc reference to how to get the default set of grants. |
|
re[test] |
openshift-bot
removed
the
needs-rebase
|
[merge] |
|
LGTM |
|
This is a valid failure and I'll fix it pending the answer to #5543 (comment) |
|
[test] On Oct 30, 2015, at 7:21 PM, OpenShift Bot [email protected] wrote: continuous-integration/openshift-jenkins/test FAILURE ( — |
|
re[test] |
|
[test] On Oct 31, 2015, at 11:40 AM, OpenShift Bot [email protected] continuous-integration/openshift-jenkins/test FAILURE ( — |
|
keeps hitting a known flake #5559 [test] |
|
[test] On Oct 31, 2015, at 12:56 PM, OpenShift Bot [email protected] continuous-integration/openshift-jenkins/test FAILURE ( — |
|
Evaluated for origin test up to 6f86f78 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/6552/) (Image: devenv-rhel7_2617) |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/6552/) |
|
clean run from jenkins, the ghosts must have moved back to @Kargakis's PR 👻 🎃 |
|
re[merge] |
|
Evaluated for origin merge up to 6f86f78 |
Merged by openshift-bot
@smarterclayton @liggitt - First pass at new SCCs (step one of the new sorting). Next I'll do the priority field and sorting.
@markturansky - this contains the way to pass additional access methods that was referred to in #5465
@pmorie - I'll probably need to rebase my commit for volume security to pull these in if it merges quickly