How SCC reinvocation affects the runAsUser securityContext in Red Hat OpenShift Container Platform 4

Solution Verified - Updated -

Issue

When applying a deployment in a namespace matched by upstream Istio the pod's runAsUser securityContext is modified when using the privileged SCC. The same does not happen with the anyuid SCC even though both SCCs define RUNASUSER strategy RunAsAny.

For example, a namespace configured with upstream Istio:

$ oc new-project istio-test
$ cat <<EOF | oc -n istio-test create -f -
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
  name: istio-cni
EOF
$ oc label namespace istio-test istio-injection=enabled

Together with the following deployment definition:

$ cat <<'EOF' > fedora-test-sidecar-inject.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: fedora-test-sidecar-inject
  name: fedora-test-sidecar-inject
spec:
  replicas: 1
  selector:
    matchLabels:
      deployment: fedora-test-sidecar-inject
  template:
    metadata:
      labels:
        deployment: fedora-test-sidecar-inject
      annotations:
        sidecar.istio.io/inject: 'true'
        sidecar.istio.io/proxyCPU: 50m
        sidecar.istio.io/proxyCPULimit: 2000m
        sidecar.istio.io/proxyMemory: 200Mi
        sidecar.istio.io/proxyMemoryLimit: 1Gi
        proxy.istio.io/config: '{ "terminationDrainDuration": 30s, "holdApplicationUntilProxyStarts": true }'
    spec:
      containers:
      - image: quay.io/<repository>/fedora-test:uid
        imagePullPolicy: IfNotPresent
        name: fedora-test-sidecar-inject
EOF
$ oc apply -f fedora-test-sidecar-inject.yaml

After setting the ServiceAccount to privileged and deploying the pod:

$ oc adm policy add-scc-to-group privileged system:serviceaccounts:istio-test
$ oc apply -f fedora-test-sidecar-inject.yaml

Note how the pod is bound to the privileged SCC, but the application container is forced to run as a specific user ID:

$ oc get pods -o custom-columns="NAME:.metadata.name,SCC:.metadata.annotations.openshift\.io/scc,CONTAINERNAME:.spec.containers[*].name,RUNASUSER:.spec.containers[*].securityContext.runAsUser"
NAME                                         SCC          CONTAINERNAME                            RUNASUSER
fedora-test-sidecar-inject-d75986bbd-8j6vt   privileged   istio-proxy,fedora-test-sidecar-inject   1337,1000780000
$ oc exec fedora-test-sidecar-inject-d75986bbd-8j6vt -- id
uid=1000780000(1000780000) gid=0(root) groups=0(root),1000780000

Environment

Red Hat OpenShift Container Platform 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content