openshift / apiserver-library-go Goto Github PK
View Code? Open in Web Editor NEWk/k dependent helpers for kube-apiserver and openshift-apiserver
License: Apache License 2.0
k/k dependent helpers for kube-apiserver and openshift-apiserver
License: Apache License 2.0
Add a way for dependent projects to get a list of the standard/default SCC's so these projects do not need to maintain their own lists. Please see this link
The following branches are being fast-forwarded from the current development branch (master) as placeholders for future releases. No merging is allowed into these release branches until they are unfrozen for production release.
release-4.18
release-4.19
For more information, see the branching documentation.
Ideally I would like to be able to specify multiple valid sets to match against. Right now I need duplicate SCCs for each type I want to allow.
If I for example want to allow both container_t and spc_t I need to have two policies bound to my SA with everything except seLinuxContext duplicated.
The following branches are being fast-forwarded from the current development branch (master) as placeholders for future releases. No merging is allowed into these release branches until they are unfrozen for production release.
release-4.5
release-4.4
Contact the Test Platform or Automated Release teams for more information.
As you can see in the following snippet (@@@ prefixed line), the seccomp errors look like they occur in the context of the hostmount-anyuid
provider,
but they are actually not - they occur in the consideration of an scc called "kubevirt-controller" (which made this tricky to debug)
E1109 09:04:41.472725 1 util.go:72] pods "virt-export-vme-test-cvrbnzr8k7ts" is forbidden: unable to validate against any security context constraint:
[
provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{107}: 107 is not an allowed group,
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
@@@provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/vme-test-cvrbnzr8k7ts]: Forbidden: seccomp may not be set,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "bridge-marker": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner-csi": Forbidden: not usable by user or serviceaccount,
provider "linux-bridge": Forbidden: not usable by user or serviceaccount,
provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount,
provider "rook-ceph": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user or serviceaccount,
provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount
]
Note: I added the newlines, original output is
E1109 09:04:41.472725 1 util.go:72] pods "virt-export-vme-test-cvrbnzr8k7ts" is forbidden: unable to validate against any security context constraint: [provider "containerized-data-importer": Forbidden: not usable by user or serviceaccount, provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{107}: 107 is not an allowed group, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, pod.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: Forbidden: seccomp may not be set, pod.metadata.annotations[container.seccomp.security.alpha.kubernetes.io/vme-test-cvrbnzr8k7ts]: Forbidden: seccomp may not be set, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "bridge-marker": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner-csi": Forbidden: not usable by user or serviceaccount, provider "linux-bridge": Forbidden: not usable by user or serviceaccount, provider "kubevirt-handler": Forbidden: not usable by user or serviceaccount, provider "rook-ceph": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
May be worth making this a bit nicer with newlines?
I'm running GitLab Runner on OpenShift and GitLab runner only allows me to specify type of seLinuxOptions, the rest of the values are unspecified.
This requires me to use an SCC with RunAsAny for seLinuxContext since the logic for validating it matches on all fields.
If I don't specify a field in the SCC it seems to validate against a default value, however the value from the pod is not replaced by a default if missing/empty which means my pod is rejected.
Example SCC:
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: gitlab-runner-jobs
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
seLinuxOptions:
type: spc_t
fsGroup:
type: RunAsAny
supplementalGroups:
type: RunAsAny
allowedCapabilities:
- SYS_CHROOT
- SETUID
- SETGID
- SETFCAP
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
readOnlyRootFilesystem: false
users:
- "system:serviceaccount:gitlab-runner-jobs:gitlab-runner-jobs"
This rejects a pod with
securityContext:
seLinuxOptions:
type: spc_t
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.