Re: SCC privileged not applying

[Weiwei Jiang]

Further more discussion here.
https://github.com/kubernetes/kubernetes/issues/57378

On Tue, Dec 19, 2017 at 9:54 PM Jordan Liggitt  wrote:

> > On Dec 19, 2017, at 1:49 AM, Weiwei Jiang  wrote:
> >
> > But the scc is trying to verify the creater account(you can see this
> with audit enabled), and should be daemonset-controller or something like
> this but not the given serviceaccount).
>
> That's not accurate. You can give the SCC permissions to either the
> creating user (in the case of a daemonset, this is the daemonset
> controller) and/or to the service account of this pod.
>
> You should avoid giving SCC permissions to the pod creating
> controllers, since that enables any user that can create a daemonset
> to make use of those permissions via the controller.
>
___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: SCC privileged not applying

[Jordan Liggitt]

> On Dec 19, 2017, at 1:49 AM, Weiwei Jiang  wrote:
>
> But the scc is trying to verify the creater account(you can see this with 
> audit enabled), and should be daemonset-controller or something like this but 
> not the given serviceaccount).

That's not accurate. You can give the SCC permissions to either the
creating user (in the case of a daemonset, this is the daemonset
controller) and/or to the service account of this pod.

You should avoid giving SCC permissions to the pod creating
controllers, since that enables any user that can create a daemonset
to make use of those permissions via the controller.

___
dev mailing list
dev@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: SCC privileged not applying

[Mateus Caruccio]

Makes sense. Thanks for your clarification ;)

--
Mateus Caruccio / Master of Puppets
GetupCloud.com
We make the infrastructure invisible
Gartner Cool Vendor 2017

2017-12-19 4:48 GMT-02:00 Weiwei Jiang <wji...@redhat.com>:

> Hi:
>
> I think you make some misunderstanding with OpenShift.
>
> Actually you create a daemonset with a specific serviceaccount you created
> which is granted with the SCC privileged, right?
> But the scc is trying to verify the creater account(you can see this with
> audit enabled), and should be daemonset-controller or something like this
> but not the given serviceaccount).
> So you grant the new-relic account, but the creater is
> daemonset-controller(just put it here, maybe this is also not the right
> serviceaccount to create the target pod), so got this issue.
>
> And back to your scenario, I have no better suggestion if you insistently
> use daemonset to create the pod.
>
> You can pick up the pod template from the daemonset to just create the pod
> directly and grant the scc with your user(`oc whoami`) but will loss the
> daemonset features.
>
>
> Regards!
>
> On Tue, Dec 19, 2017 at 3:01 AM Mateus Caruccio <
> mateus.caruc...@getupcloud.com> wrote:
>
>> There is this daemonset which needs host access. I've created a
>> namespace, added `privileged` scc to a new serviceaccount and set pod to
>> run with that SA.
>>
>> The problem is openshift is not applying the privileged SCC to my
>> serviceAccount.
>>
>> *$ oc get ev*
>> LASTSEEN   FIRSTSEEN   COUNT NAME KINDSUBOBJECT
>> TYPE  REASON SOURCE   MESSAGE
>> 17s17s 25newrelic-agent   DaemonSet
>> Warning   FailedCreate   daemon-set   Error creating: pods
>> "newrelic-agent-" is forbidden: unable to validate against any security
>> context constraint: [provider restricted: .spec.securityContext.hostNetwork:
>> Invalid value: true: Host network is not allowed to be used provider
>> restricted: .spec.securityContext.hostPID: Invalid value: true: Host PID is
>> not allowed to be used provider restricted: .spec.securityContext.hostIPC:
>> Invalid value: true: Host IPC is not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.privileged: Invalid
>> value: true: Privileged containers are not allowed provider restricted:
>> .spec.containers[0].securityContext.volumes[1]: Invalid value:
>> "hostPath": hostPath volumes are not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.volumes[2]: Invalid
>> value: "hostPath": hostPath volumes are not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.volumes[3]: Invalid
>> value: "hostPath": hostPath volumes are not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.volumes[4]: Invalid
>> value: "hostPath": hostPath volumes are not allowed to be used provider
>> restricted: .spec.containers[0].securityContext.hostNetwork: Invalid
>> value: true: Host network is not allowed to be used provider restricted:
>> .spec.containers[0].securityContext.hostPID: Invalid value: true: Host
>> PID is not allowed to be used provider restricted: 
>> .spec.containers[0].securityContext.hostIPC:
>> Invalid value: true: Host IPC is not allowed to be used]
>>
>>
>> This is my config:
>>
>>
>> *$ oc version*
>> oc v3.6.0+c4dd4cf
>> kubernetes v1.6.1+5115d708d7
>> features: Basic-Auth GSSAPI Kerberos SPNEGO
>>
>> Server https://[REDACTED]
>> openshift v3.6.0+c4dd4cf
>> kubernetes v1.6.1+5115d708d7
>>
>>
>> *$ oc whoami*
>> system:admin
>>
>>
>> *$ oc get ds -o yaml -n new-relic*
>> apiVersion: v1
>> items:
>> - apiVersion: extensions/v1beta1
>>   kind: DaemonSet
>>   metadata:
>> creationTimestamp: 2017-12-18T18:20:42Z
>> generation: 1
>> labels:
>>   app: newrelic-agent
>>   tier: monitoring
>>   version: v1
>> name: newrelic-agent
>> namespace: new-relic
>> resourceVersion: "9280118"
>> selfLink: /apis/extensions/v1beta1/namespaces/new-relic/
>> daemonsets/newrelic-agent
>> uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4
>>   spec:
>> selector:
>>   matchLabels:
>> name: newrelic
>> template:
>>   metadata:
>> creationTimestamp: null
>> labels:
>>   name: newrelic
>>   spec:
>> containers:
>>

SCC privileged not applying

[Mateus Caruccio]

There is this daemonset which needs host access. I've created a namespace,
added `privileged` scc to a new serviceaccount and set pod to run with that
SA.

The problem is openshift is not applying the privileged SCC to my
serviceAccount.

*$ oc get ev*
LASTSEEN   FIRSTSEEN   COUNT NAME KINDSUBOBJECT
TYPE  REASON SOURCE   MESSAGE
17s17s 25newrelic-agent   DaemonSet
Warning   FailedCreate   daemon-set   Error creating: pods
"newrelic-agent-" is forbidden: unable to validate against any security
context constraint: [provider restricted:
.spec.securityContext.hostNetwork: Invalid value: true: Host network is not
allowed to be used provider restricted: .spec.securityContext.hostPID:
Invalid value: true: Host PID is not allowed to be used provider
restricted: .spec.securityContext.hostIPC: Invalid value: true: Host IPC is
not allowed to be used provider restricted:
.spec.containers[0].securityContext.privileged: Invalid value: true:
Privileged containers are not allowed provider restricted:
.spec.containers[0].securityContext.volumes[1]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used provider restricted:
.spec.containers[0].securityContext.volumes[2]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used provider restricted:
.spec.containers[0].securityContext.volumes[3]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used provider restricted:
.spec.containers[0].securityContext.volumes[4]: Invalid value: "hostPath":
hostPath volumes are not allowed to be used provider restricted:
.spec.containers[0].securityContext.hostNetwork: Invalid value: true: Host
network is not allowed to be used provider restricted:
.spec.containers[0].securityContext.hostPID: Invalid value: true: Host PID
is not allowed to be used provider restricted:
.spec.containers[0].securityContext.hostIPC: Invalid value: true: Host IPC
is not allowed to be used]


This is my config:


*$ oc version*
oc v3.6.0+c4dd4cf
kubernetes v1.6.1+5115d708d7
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://[REDACTED]
openshift v3.6.0+c4dd4cf
kubernetes v1.6.1+5115d708d7


*$ oc whoami*
system:admin


*$ oc get ds -o yaml -n new-relic*
apiVersion: v1
items:
- apiVersion: extensions/v1beta1
  kind: DaemonSet
  metadata:
creationTimestamp: 2017-12-18T18:20:42Z
generation: 1
labels:
  app: newrelic-agent
  tier: monitoring
  version: v1
name: newrelic-agent
namespace: new-relic
resourceVersion: "9280118"
selfLink:
/apis/extensions/v1beta1/namespaces/new-relic/daemonsets/newrelic-agent
uid: 286ed3c9-e420-11e7-aa46-000af7b3efa4
  spec:
selector:
  matchLabels:
name: newrelic
template:
  metadata:
creationTimestamp: null
labels:
  name: newrelic
  spec:
containers:
- command:
  - bash
  - -c
  - source /etc/kube-newrelic/config && /usr/sbin/nrsysmond -E -F
  env:
  - name: NRSYSMOND_logfile
value: /var/log/nrsysmond.log
  image: newrelic/nrsysmond
  imagePullPolicy: Always
  name: newrelic
  resources:
requests:
  cpu: 150m
  securityContext:
privileged: true
  terminationMessagePath: /dev/termination-log
  terminationMessagePolicy: File
  volumeMounts:
  - mountPath: /etc/kube-newrelic
name: newrelic-config
readOnly: true
  - mountPath: /dev
name: dev
  - mountPath: /var/run/docker.sock
name: run
  - mountPath: /sys
name: sys
  - mountPath: /var/log
name: log
dnsPolicy: ClusterFirst
hostIPC: true
hostNetwork: true
hostPID: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: new-relic
serviceAccountName: new-relic
terminationGracePeriodSeconds: 30
volumes:
- name: newrelic-config
  secret:
defaultMode: 420
secretName: newrelic-config
- hostPath:
path: /dev
  name: dev
- hostPath:
path: /var/run/docker.sock
  name: run
- hostPath:
path: /sys
  name: sys
- hostPath:
path: /var/log
  name: log
templateGeneration: 1
updateStrategy:
  type: OnDelete
  status:
currentNumberScheduled: 0
desiredNumberScheduled: 0
numberMisscheduled: 0
numberReady: 0
kind: List
metadata: {}
resourceVersion: ""
selfLink: ""


*$ oc get scc*
...[cut]
- allowHostDirVolumePlugin: true
  allowHostIPC: true
  allowHostNetwork: true
  allowHostPID: true
  allowHostPorts: true
  allowPrivileged