Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OpenShift's built-in restricted-v2 Security Context Constraint #5422

Closed
sigv opened this issue Apr 18, 2024 · 4 comments
Closed

Support OpenShift's built-in restricted-v2 Security Context Constraint #5422

sigv opened this issue Apr 18, 2024 · 4 comments
Labels
backlog Pull requests/issues that are backlog items needs more info Issues that require more information proposal An issue that proposes a feature request
Milestone
Candidates

Comments

@sigv
Copy link
Contributor

sigv commented Apr 18, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

Security teams prefer referencing default (built-in) security restrictions. In OpenShift (v4.11+) the restricted-v2 Security Context Constraint is default, and previously (up to v4.10) the restricted SCC was default. Both of these SCCs require that a pod is run as a user in a pre-allocated range of UIDs. This conflicts current Nginx Ingress Controller set-up which uses UID 101.

Describe the solution you'd like

Nginx Ingress Controller should stop specifying explicit UID in securityContext. Deployments in vanilla Kubernetes will inherit container image default UID, retaining existing behavior. Deployments in OpenShift will be allowed to choose any UID. Users with OpenShift, with existing SCC for NIC would also retain existing RunAsUser behavior.

Describe alternatives you've considered

This is an explicit security requirement. Only alternative is WONTFIX - to not comply with OpenShift requirements.

Additional context
@sigv sigv added the proposal An issue that proposes a feature request label Apr 18, 2024
@github-actions GitHub Actions
Copy link

Hi @sigv thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

@sigv sigv mentioned this issue Apr 18, 2024
Closed
6 tasks
@vepatel vepatel added the ready for refinement An issue that was triaged and it is ready to be refined label Apr 18, 2024
@sigv sigv mentioned this issue Apr 18, 2024
Closed
6 tasks
@vepatel vepatel added the backlog Pull requests/issues that are backlog items label Apr 24, 2024
@danielnginx danielnginx added the needs more info Issues that require more information label May 9, 2024
@shaun-nx
Copy link
Contributor

@sigv we made an update to our Helm template & values to properties of securityContext to be overridden
The PR for that change is here: #5084

In this case your deployment in Openshift can remove runAsUser without removing it as a default.
Please do let me know if I'm mistaken or overlooking anything here.

@shaun-nx shaun-nx added this to the Candidates milestone Jul 11, 2024
@shaun-nx
Copy link
Contributor

Hey @sigv just checking in again.
We've got a backlog refinement and grooming meeting on today. This PR and the related issue, #5422, is on our list.

When you get an opportunity, can you confirm if our changes to allow securityContext to be overridden will work for this use case?

@danielnginx danielnginx removed the ready for refinement An issue that was triaged and it is ready to be refined label Jul 11, 2024
@shaun-nx
Copy link
Contributor

shaun-nx commented Sep 4, 2024

Hi @sigv
Please let us know if you get a chance to confirm our questions.
For now, we're going to close this issue as the changes in #5084 appears to resolve this issue.

Please do re-open this issue, or a new issue if you think that is needed.

@shaun-nx shaun-nx closed this as completed Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Pull requests/issues that are backlog items needs more info Issues that require more information proposal An issue that proposes a feature request
Projects
None yet
Milestone
Candidates
Development

Successfully merging a pull request may close this issue.

Apply UID/GID defaults from image sigv/kubernetes-ingress
4 participants
@sigv @vepatel @shaun-nx @danielnginx