Prevent Source builders from running as root

[csrwng]

Adds SCC checking to Source build controller strategy to prevent builds from running as root.

[csrwng]

@smarterclayton ptal - this is WIP. I've been trying a few things with this one, and without requiring upstream changes to the SCC code, this is the best I have so far. Would like your input/ideas.

[csrwng]

@pweil- ptal

[liggitt]

can this express "anything other than 0"?

[csrwng]

Yes, it can have a list of ranges like 10-20,30,50,1024-. Ideally we'd be able to ask SCC what UID ranges are allowed for that user/sa and pass that on to the STI builder. But the way it is right now, I can only ask whether a particular user is allowed. @pweil - any thoguths?

[pweil-]

We could probably separate out some of the logic in the admission controller to an SCC api to help with calls like this. The relevant components are the total set of SCCs and the getMatchingSecurityContextConstraints method in admission which would provide the applicable sets. That could then be passed to something that would return the blocks of allowable uids supported.

[csrwng]

@pweil- Until we can get the range of users from SCCs, is this an acceptable approach to at least preventing the STI builder from running images that could potentially run as root?

[pweil-]

Yes, I believe this will be sufficient. If I'm understanding the sequence from the code below it is basically

1. See if the service account has access to run build pods as root by trying to admit a pod with runAsUser forced to 0
2. If the above fails set a range of anything except 0 with 1-
3. The STI builder checks the build image to prevent it from running if the uid is not in the range set by the env var.

[csrwng]

Basically yes

On Fri, Aug 7, 2015 at 5:03 PM, Paul Weil notifications@github.com wrote:

In
Godeps/_workspace/src/github.com/openshift/source-to-image/pkg/api/types.go
#4025 (comment):

@@ -91,6 +96,11 @@ type Config struct {
// Specify a relative directory inside the application repository that should
// be used as a root directory for the application.
ContextDir string
+

• // AllowedUIDs is a list of user ranges of users allowed to run the builder image.
• // If a range is specified and the builder image uses a non-numeric user or a user
• // that is outside the specified range, then the build fails.
• AllowedUIDs user.RangeList

Yes, I believe this will be sufficient. If I'm understanding the sequence
from the code below it is basically

1. See if the service account has access to run build pods as root by
   trying to admit a pod with runAsUser forced to 0
2. If the above fails set a range of anything except 0 with 1-
3. The STI builder checks the build image to prevent it from running
   if the uid is not in the range set by the env var.

—
Reply to this email directly or view it on GitHub
https://github.com/openshift/origin/pull/4025/files#r36561052.

[csrwng]

Depends on #4124

[csrwng]

[test]

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/4201/)

[csrwng]

@pweil- the s2i part is now in a separate PR (that this one depends on). Please let me know if you have any additional comments/questions on the origin commit.

[pweil-]

Cool. Other changes look fine to me. Thanks @csrwng

[csrwng]

@smarterclayton any comments?

[bparees]

lower(higher) log level? i don't think we need to print this on every run

[bparees]

also i'd just get it once and use it for the log and the if.

[csrwng]

thx @bparees - updates made

[openshift-bot]

Evaluated for origin test up to 9b6a18d

[bparees]

lgtm.

[bparees]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/3008/) (Image: devenv-fedora_2173)

[csrwng]

trying again... seems an issue with ui e2e
[merge]

[csrwng]

[merge]

[openshift-bot]

Evaluated for origin merge up to 9b6a18d