New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop capabilities in s2i build container by default #7864
Conversation
|
[testonlyextended][extended:core(builds)] |
|
Evaluated for origin testonlyextended up to 26e798b |
|
continuous-integration/openshift-jenkins/testonlyextended FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/1930/) (Extended Tests: core(builds)) |
|
I think you can avoid the builder image build by just including the customized assemble script as ".s2i/bin" in the context dir you upload as the binary input, no? |
|
I also set the root password in the builder image and install 'expect' |
|
so you do. lgtm, pending resolution to the tests failing. |
|
Evaluated for origin test up to 26e798b |
|
@csrwng thanks, lgtm. |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/5261/) (Image: devenv-rhel7_3668) |
|
Evaluated for origin merge up to 26e798b |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/1965/) (Extended Tests: core(builds)) |
The container that is launched by s2i (outside of Kube control) currently allows an escalation of privilege via su or sudo. We can prevent this by dropping the same capabilities that are dropped for regular pods when running under the restricted SCC.
Fixes BZ 1315187