How SCC reinvocation affects the runAsUser securityContext in Red Hat OpenShift Container Platform 4
Issue
When applying a deployment in a namespace matched by upstream Istio the pod's runAsUser
securityContext is modified when using the privileged
SCC. The same does not happen with the anyuid
SCC even though both SCCs define RUNASUSER
strategy RunAsAny
.
For example, a namespace configured with upstream Istio:
$ oc new-project istio-test
$ cat <<EOF | oc -n istio-test create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: istio-cni
EOF
$ oc label namespace istio-test istio-injection=enabled
Together with the following deployment definition:
$ cat <<'EOF' > fedora-test-sidecar-inject.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: fedora-test-sidecar-inject
name: fedora-test-sidecar-inject
spec:
replicas: 1
selector:
matchLabels:
deployment: fedora-test-sidecar-inject
template:
metadata:
labels:
deployment: fedora-test-sidecar-inject
annotations:
sidecar.istio.io/inject: 'true'
sidecar.istio.io/proxyCPU: 50m
sidecar.istio.io/proxyCPULimit: 2000m
sidecar.istio.io/proxyMemory: 200Mi
sidecar.istio.io/proxyMemoryLimit: 1Gi
proxy.istio.io/config: '{ "terminationDrainDuration": 30s, "holdApplicationUntilProxyStarts": true }'
spec:
containers:
- image: quay.io/<repository>/fedora-test:uid
imagePullPolicy: IfNotPresent
name: fedora-test-sidecar-inject
EOF
$ oc apply -f fedora-test-sidecar-inject.yaml
After setting the ServiceAccount to privileged and deploying the pod:
$ oc adm policy add-scc-to-group privileged system:serviceaccounts:istio-test
$ oc apply -f fedora-test-sidecar-inject.yaml
Note how the pod is bound to the privileged SCC, but the application container is forced to run as a specific user ID:
$ oc get pods -o custom-columns="NAME:.metadata.name,SCC:.metadata.annotations.openshift\.io/scc,CONTAINERNAME:.spec.containers[*].name,RUNASUSER:.spec.containers[*].securityContext.runAsUser"
NAME SCC CONTAINERNAME RUNASUSER
fedora-test-sidecar-inject-d75986bbd-8j6vt privileged istio-proxy,fedora-test-sidecar-inject 1337,1000780000
$ oc exec fedora-test-sidecar-inject-d75986bbd-8j6vt -- id
uid=1000780000(1000780000) gid=0(root) groups=0(root),1000780000
Environment
Red Hat OpenShift Container Platform 4.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.