Box

Allgemein

Profil

Aktionen
Historie

Wiki »

Using SCC anyuid in OKD-OpenShift » Historie » Revision 3

« Zurück | Revision 3/6 (Vergleich) | Weiter »
Peter Pfläging, 22.07.2021 06:27

Let root containers run in a specific namespace (OKD / OpenShift)

It's not advised, but there are cases where you have to run Pods as root. There's a SecurityContextConstraint (SCC) in OpenShift handling this:

oc get scc anyuid -o yaml

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
    kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID.
    release.openshift.io/create-only: "true"
  name: anyuid
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected

Reference: https://docs.okd.io/latest/authentication/managing-security-context-constraints.html

The best and practicable way is to create a special namespace for this evil pods and restrict the access to this namespaces as wide as you can.

Set this with commandline tools

OK, we make a namespace evilone-notsecure

oc new-project evilone-notsecure --description="Evil Project for root Containers (need anyuid)" --display-name="Evil One (anyuid!)"

Then we set the SCC for the default Systemaccount in this project:

oc adm oc policy add-scc-to-user -z default -n evilone-notsecure anyuid

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: system:openshift:scc:anyuid
  namespace: mysupercoolnamespace
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:anyuid
subjects:
- kind: ServiceAccount
  name: default
  namespace: mysupercoolnamespace

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  annotations:
    include.release.openshift.io/ibm-cloud-managed: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
    include.release.openshift.io/single-node-developer: "true"
    kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID.
    release.openshift.io/create-only: "true"
  name: anyuid
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected

Von Peter Pfläging vor fast 4 Jahren aktualisiert · 6 Revisionen