search

IBM / ibm-spectrum-scale-csi

The IBM Spectrum Scale Container Storage Interface (CSI) project enables container orchestrators, such as Kubernetes and OpenShift, to manage the life-cycle of persistent storage.
Apache License 2.0
68 stars 49 forks source link

Incorrect SCC #112

Closed mew2057 closed 4 years ago

mew2057 commented 4 years ago

Describe the bug Had an issue with a Cloud Pak Service that got stuck being assigned to the csiaccess SCC for some reason. It seems like this Group should not be included in the SCC and only the Users (SAs used by Scale). 

oc describe scc csiaccess  
Name:                       csiaccess
Priority:                   <none>
Access:                     
 Users:                 system:serviceaccount:spectrum-scale:ibm-spectrum-scale-csi-attacher,system:serviceaccount:spectrum-scale:ibm-spectrum-scale-csi-provisioner,system:serviceaccount:spectrum-scale:ibm-spectrum-scale-csi-node
 Groups:                    system:authenticated
mew2057 commented 4 years ago

This was the scc config file:

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  annotations:
    kubernetes.io/description: allow hostpath and host network to be accessible
  generation: 1
  name: csiaccess
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/csiaccess
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: true
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities: []
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
{% if csiaccess_users|length > 0 %}
users:
{% for user in csiaccess_users %}
  - "{{user}}"
{% endfor %}
{% endif %}
mew2057 commented 4 years ago

It looks like system:authenticated is called out explicitly @deeghuge or @smitaraut is there a reason to add this group to the SCC? I just ported this from the original driver SCC without thinking about context.

smitaraut commented 4 years ago

system:authenticated group is coming from “Restricted” SCC which has been used as a template for csiaccess. We only lifted up minimal restrictions needed for Scale driver. This SCC is thus made available to all authenticated users and not to anonymous users.

csiaccess SCC is meant for Spectrum Scale CSI driver and should not be changed for application's requirements. Application pods can use other SCCs per their requirement and not necessarily csiaccess.

smitaraut commented 4 years ago

This seems to be fixed. Can we close this issue?

Jainbrt commented 4 years ago

@smitaraut @mew2057 Do we you have any tests to try out for this change ?

mew2057 commented 4 years ago

there's no tests, because it was hit by an internal team member, and I don't recall the state that it was in. You can check slack for specific details (hate saying that, but it's config stuff that can't be exposed).