Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hostnetwork SCC takes precedence over restricted for a pod that doesn't request host network #15933

Closed
php-coder opened this issue Aug 23, 2017 · 3 comments
Closed

hostnetwork SCC takes precedence over restricted for a pod that doesn't request host network #15933

php-coder opened this issue Aug 23, 2017 · 3 comments
Assignees
@adelton
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. priority/P2 sig/security

Comments

@php-coder
Copy link
Contributor

Extracted from https://github.com/openshift/origin/pull/15923/files#r134773733:

Steps To Reproduce
$ oc cluster up
$ oc login -u system:admin
$ oc adm policy add-scc-to-user hostnetwork developer
$ oc login -u developer -p developer
$ $ cat testing-nope-pod.yaml 
kind: Pod
apiVersion: v1
metadata:
  generateName: testing-pod-
spec:
  restartPolicy: Never
  containers:
  - name: test-pod
	image: busybox
	command:
	- id
$ oc create -f testing-nope-pod.yaml
pod "testing-pod-ff9zw" created
Current Result
$ oc get pod testing-pod-ff9zw -o yaml | grep scc
	openshift.io/scc: hostnetwork
Expected Result
$ oc get pod testing-pod-ff9zw -o yaml | grep scc
	openshift.io/scc: restricted
Workaround

oc patch scc restricted -p '{"priority":1}'

CC @openshift/sig-security
@php-coder php-coder mentioned this issue Aug 23, 2017
Merged
@pweil- pweil- added kind/bug Categorizes issue or PR as related to a bug. priority/P2 labels Aug 23, 2017
@php-coder
Copy link
Contributor Author

It doesn't compromise security because 1) a user should have access to the hostnetwork SCC anyway 2) while hostnetwork allows host ports and host network it doesn't mutates a pod to set it as default values. In fact the pods that were created by these SCCs look the same.

@adelton
Copy link
Contributor

adelton commented Sep 4, 2017

@pweil- Are we sure that hostnetwork is the only thing from whatever can be set for SCC (see https://github.com/openshift/origin/blob/master/pkg/security/apis/security/types.go#L18) which isn't yet covered by https://github.com/openshift/origin/blob/master/pkg/security/securitycontextconstraints/byrestrictions.go, apart from capabilities which we plan to cover by #14825?

I'd like to cover everything which might affect the score, not add individual things when we uncover them.

@adelton adelton self-assigned this Sep 4, 2017
@adelton adelton mentioned this issue Sep 8, 2017
Merged
@adelton
Copy link
Contributor

adelton commented Sep 8, 2017

In #16231, I now consider both AllowHostNetwork and AllowHostPorts.

@simo5 simo5 changed the title hostnetowork SCC takes precedence over restricted for a pod that doesn't request host network hostnetwork SCC takes precedence over restricted for a pod that doesn't request host network Sep 15, 2017
@php-coder php-coder removed their assignment Oct 6, 2017
openshift-merge-robot added a commit that referenced this issue Oct 16, 2017
@openshift-merge-robot
Merge pull request #16231 from adelton/issue-15933
989078f 
Automatic merge from submit-queue (batch tested with PRs 16867, 16231).

Distinguish SCCs that AllowHostNetwork and AllowHostPorts from those that do not, in the score calculation.

Fixes #15933.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adelton adelton

Labels
area/security kind/bug Categorizes issue or PR as related to a bug. priority/P2 sig/security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@php-coder @adelton @pweil-