New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OADP-290 Bug: The velero-privileged
SCC is causing the CIS benchmark to fail
#576
Comments
Resolution: the appropriate Security Context Constraints (SCCs) should set capabilities as a list in allowedCapabilities. |
@kaovilai, the policy rule is checking this command: Not sure what the resolution will be here, e.g. a) ignoring the |
Why does OADP use |
From internal discussion, the fear we had was privileged could have been modified and cause breakage to our app. So velero-privileged is created to guarantee the required SCC so to speak. |
It should be possible to use privileged SCC but we may need to do some tests. I think what we have is (edit: not) less permissive. |
I think it should be possible to query privileged SCC to check for expected values.. if it’s what we expect we use it, CIS benchmark passes. If its not expected, we create velero-privileged. If someone complains about CIS, tell them to fix privileged SCC |
I believe the velero-privileged scc is a hangover from MTC for AOS 3.x. For OCP 4.x the way to use the privileged SCC is the use verb like so: |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
/lifecycle frozen |
Also tracked on: https://issues.redhat.com/browse/OADP-290 |
velero-privileged
SCC is causing the CIS benchmark to failvelero-privileged
SCC is causing the CIS benchmark to fail
@jmontleon Changing over to using the USE verb for SCCs is something I highly recommend. The product I worked on found out that applying the SCC directly to pods can have a race condition between editing the SCC and how long it takes for the SCC to be applied when doing anything in between affected by the SCC. |
This will also land in 1.1.2 |
Contact Details
No response
Describe bug
As per the title, the
velero-privileged
SCC is causing the CIS benchmark to fail.The Red Hat OADP operator is installed in our disconnected v4.8 cluster. The Compliance operator is checking compliance to the CIS Red Hat OpenShift Container Platform 4 Benchmark V1.1 and this rule is failing:
Verification:
The policy rule is checking the output of this command:
The
velero-privileged
SCC was created by the OADP operator. It sets a value inallowedCapabilities
(currently "*") and thus the policy rule is failing. Please consider using theprivileged
SCC instead.Thanks in advance.
What happened?
The CIS benchmark failed because the created SCC sets a value in
allowedCapabilities
.Expected that the OADP operator would not create a SCC which causes the benchmark to fail.
OADP Version
v1.0.0 (Stable Red Hat operator)
OpenShift Version
4.8
Velero pod logs
No response
Restic pod logs
No response
Operator pod logs
New issue
The text was updated successfully, but these errors were encountered: