-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deviation from upstream restricted PSP #35191
Comments
This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions. |
Still interested in a solution to this issue, as this behavior also occurs in versions 2.6.x, as far as I can tell. |
PR #36367 |
Docs PR rancher/docs#3849 |
Apologies, the issue was closed when the PR got merged. I'm reopening, so QA can properly validate it. |
Root CauseThe
While the upstream has:
In our docs we also wrongly state that our
See this comment for more information. What was fixed?A new This new policy was created, instead of fixing the current provided policy, in order to avoid breaking customers' deployments that are using the What should be tested?
What areas could experience regressions?Rancher pods might fail to run in case they bind to the |
Reproduced on v2.6.3 Rancher helm installation
|
Validations on 2.6-head local k8s 1.21 and PSP set to restricted
|
Verified test cases on 2.6-head 978e165
Upgrade test case:
|
SURE-3199
Rancher Server Setup
Describe the bug
runAsUser set to RunAsAny in the restricted PSP which is a deviation from upstream example PSP
To Reproduce
Checked the documentation and found below
This policy is based on the Kubernetes example restricted policy.
The upstream example restricted PSP shows below.
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
But the Rancher restricted PSP is not the same.
Result
Default restricted policy allows the container to run processes with root user.
Expected Result
Default restricted policy should not allow the container to run processes with root user.
Or there should be a note in documentation if this PSP deviation from the upstream example is intentional.
The text was updated successfully, but these errors were encountered: