-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Some SCCs don't drop any caps #16371
Labels
Comments
simo5
added
area/security
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
labels
Sep 15, 2017
The fix is trivial, the main concern is to get agreement on expected behavior. |
@openshift/sig-security please, confirm that the following behavior will be OK:
|
php-coder
removed
the
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
label
Sep 19, 2017
openshift-merge-robot
added a commit
that referenced
this issue
Sep 28, 2017
Automatic merge from submit-queue (batch tested with PRs 16559, 16518, 16436). Modify nonroot, hostaccess, and hostmount-anyuid SCCs to drop some capabilities - `nonroot` now drops KILL, MKNOD, SETUID, and SETGID - `hostaccess` now drops KILL, MKNOD, SETUID, and SETGID - `hostmount-anyuid` now drops MKNOD PTAL @openshift/sig-security Fixes #16371
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm a bit surprised that some SCCs (for example,
nonroot
) have emptyrequiredDropCapabilities
.Version
oc v3.7.0-alpha.1+3fddedc-367-dirty
kubernetes v1.7.0+80709908fd
features: Basic-Auth
Server https://10.34.129.200:8443
openshift v3.7.0-alpha.1+3fddedc-367-dirty
kubernetes v1.7.0+80709908fd
Steps To Reproduce
oc cluster up
oc login -u system:admin
oc get scc -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.requiredDropCapabilities}{"\n"}{end}' | column -t
Current Result
Expected Result
nonroot
should dropKILL
,MKNOD
,SETUID
, andSETGID
capabilitieshostaccess
should dropKILL
,MKNOD
,SETUID
, andSETGID
capabilitieshostmount-anyuid
should dropMKNOD
capabilitiesThe text was updated successfully, but these errors were encountered: