case3

ramachandranravi · Jul 21, 2023 · cee79b9 · cee79b9
1 parent 12f876d
commit cee79b9
Showing 1 changed file with 44 additions and 28 deletions.
diff --git a/case3 b/case3
@@ -11,20 +11,29 @@ can access /etc/ -	no
 
 output reference:
 
-# ps -Z 2372228
+# # ps -Z 3777354
 LABEL                               PID TTY      STAT   TIME COMMAND
-system_u:system_r:container_logreader_t:s0:c334,c743 2372228 ? Ss   0:00 tail -f /var/log/audit/audit.log
-  
-$ oc get pod nginx-deployment-6c8cdd497d-bqfk6 -o yaml | grep scc
-    openshift.io/scc: hostmount-anyuid-nginx
+system_u:system_r:container_logreader_t:s0:c40,c777 3777354 ? Ss   0:00 tail -f /var/log/audit/audit.log
+
+$ $ oc get pod nginx-deployment-759764d567-kb2cr -o yaml | grep scc
+    openshift.io/scc: restricted-v2-nginx
 
-$ oc logs nginx-deployment-6c8cdd497d-bqfk6 -c sidecar | head -4
+$ oc logs nginx-deployment-759764d567-kb2cr -c sidecar
 cat: can't open '/etc/hostname': Permission denied
 Sat Jul 15 01:56:45 UTC 2023
 Sat Jul 15 02:02:26 UTC 2023
-type=MAC_POLICY_LOAD msg=audit(1689700410.302:80568): auid=4294967295 ses=4294967295 lsm=selinux res=1AUID="unset"
-=============================================================================
+=====/var/log/pods output=====
+2023-07-18T18:57:06.528951756+00:00 stderr F 10.128.0.2 - - [2023-07-18 18:57:04] "GET /health HTTP/1.1" 200 117 0.000656
+2023-07-18T18:57:06.528951756+00:00 stderr F WARNING:kube_ops_view.kubernetes:Failed to query node metrics 172-30-0-1:443: 404 Not Found
+=====tail output======
+type=MAC_POLICY_LOAD msg=audit(1689905199.010:104509): auid=4294967295 ses=4294967295 lsm=selinux res=1AUID="unset"
+type=SYSCALL msg=audit(1689905199.010:104509): arch=c000003e syscall=1 success=yes exit=8930835 a0=4 a1=7fd22560c000 a2=884613 a3=0 items=0 ppid=3775681 pid=3776481 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:spc_t:s0:c641,c914 key=(null)ARCH=x86_64 SYSCALL=write AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
+
+$ oc exec -it nginx-deployment-759764d567-kb2cr -c sidecar -- touch /var/log/delete
+touch: /var/log/delete: Read-only file system
+command terminated with exit code 1
 
+=============================================================================
 Observation: pod can only read audit logs and any other files within /var/log with container_logreader_t type but cannot access host's /etc directory.
 =============================================================================
 apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
@@ -41,15 +50,14 @@ spec:
       labels:
         app: nginx
     spec:
-      #serviceAccountName: privileged
-      serviceAccountName: nginx
+      serviceAccountName: restricted-v2-nginx
       containers:
       - name: nginx
         image: quay.io/rh_ee_raravi/nginx:1.14.2
         ports:
         - containerPort: 80
         securityContext:
-               seLinuxOptions:
+              seLinuxOptions:
                 type: logsample-seprofile_logsample.process
                 #privileged: true
         args: [/bin/sh, -c, 'while true; do echo $(date) >> /var/log/date.log; sleep 1; done']
@@ -60,7 +68,7 @@ spec:
       - name: sidecar
         image: quay.io/rh_ee_raravi/busybox:latest
         command: ["/bin/sh", "-c"]
-        args: ["cat /etc/hostname; head -2 /var/log/date.log; tail -f /var/log/audit/audit.log"]
+        args: ["cat /etc/hostname; head -2 /var/log/date.log; echo '=====/var/log/pods output====='; head -2 /var/log/pods/ocp-ops-view_kube-ops-view-*/service/0.log; echo '=====tail output======'; tail -f /var/log/audit/audit.log;"]
         #args: [/bin/sh, -c, 'cat /etc/passwd']
         volumeMounts:
         - name: etcdir
@@ -82,7 +90,8 @@ spec:
             path: /etc
             type: Directory
 
-$ oc get scc hostmount-anyuid-nginx -o yaml
+
+$ oc get scc restricted-v2-nginx -o yaml
 allowHostDirVolumePlugin: true
 allowHostIPC: false
 allowHostNetwork: false
@@ -94,7 +103,7 @@ allowedCapabilities: null
 apiVersion: security.openshift.io/v1
 defaultAddCapabilities: null
 fsGroup:
-  type: RunAsAny
+  type: MustRunAs
 groups: []
 kind: SecurityContextConstraints
 metadata:
@@ -103,31 +112,38 @@ metadata:
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
     kubectl.kubernetes.io/last-applied-configuration: |
-      {"allowHostDirVolumePlugin":true,"allowHostIPC":false,"allowHostNetwork":false,"allowHostPID":false,"allowHostPorts":false,"allowPrivilegeEscalation":false,"allowPrivilegedContainer":true,"allowedCapabilities":null,"apiVersion":"security.openshift.io/v1","defaultAddCapabilities":null,"fsGroup":{"type":"RunAsAny"},"groups":[],"kind":"SecurityContextConstraints","metadata":{"annotations":{"include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true","include.release.openshift.io/single-node-developer":"true","kubernetes.io/description":"hostmount-anyuid provides all the features of the\nrestricted SCC but allows host mounts and any UID by a pod.  This is primarily\nused by the persistent volume recycler. WARNING: this SCC allows host file\nsystem access as any UID, including UID 0.  Grant with caution."},"generation":37,"name":"hostmount-anyuid-nginx"},"priority":null,"readOnlyRootFilesystem":false,"requiredDropCapabilities":null,"runAsUser":{"type":"RunAsAny"},"seLinuxContext":{"type":"RunAsAny"},"supplementalGroups":{"type":"RunAsAny"},"users":["system:serviceaccount:logsample:nginx"],"volumes":["configMap","downwardAPI","hostPath","projected","secret"]}
-    kubernetes.io/description: |-
-      hostmount-anyuid provides all the features of the
-      restricted SCC but allows host mounts and any UID by a pod.  This is primarily
-      used by the persistent volume recycler. WARNING: this SCC allows host file
-      system access as any UID, including UID 0.  Grant with caution.
-  creationTimestamp: "2023-07-15T02:38:24Z"
-  generation: 4
-  name: hostmount-anyuid-nginx
-  resourceVersion: "41605766"
-  uid: 0d16797a-87b7-44cb-a4fd-99ff65b158c9
+      {"allowHostDirVolumePlugin":true,"allowHostIPC":false,"allowHostNetwork":false,"allowHostPID":false,"allowHostPorts":false,"allowPrivilegeEscalation":false,"allowPrivilegedContainer":false,"allowedCapabilities":["NET_BIND_SERVICE"],"apiVersion":"security.openshift.io/v1","defaultAddCapabilities":null,"fsGroup":{"type":"MustRunAs"},"groups":[],"kind":"SecurityContextConstraints","metadata":{"annotations":{"include.release.openshift.io/ibm-cloud-managed":"true","include.release.openshift.io/self-managed-high-availability":"true","include.release.openshift.io/single-node-developer":"true","kubernetes.io/description":"restricted-v2 denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC and it is used by default for authenticated users. On top of the legacy 'restricted' SCC, it also requires to drop ALL capabilities and does not allow privilege escalation binaries. It will also default the seccomp profile to runtime/default if unset, otherwise this seccomp profile is required."},"creationTimestamp":"2023-03-03T20:30:50Z","generation":1,"name":"restricted-v2-nginx","ownerReferences":[{"apiVersion":"config.openshift.io/v1","kind":"ClusterVersion","name":"version","uid":"c91ec6a6-6a35-456f-8c69-0fb4b52bb3f1"}],"resourceVersion":"1766","uid":"01d13437-b5ba-414d-be79-ae33d997c01a"},"priority":null,"readOnlyRootFilesystem":false,"requiredDropCapabilities":["ALL"],"runAsUser":{"type":"MustRunAsRange"},"seLinuxContext":{"type":"RunAsAny"},"seccompProfiles":["runtime/default"],"supplementalGroups":{"type":"RunAsAny"},"users":[],"volumes":["configMap","downwardAPI","secret","hostPath"]}
+    kubernetes.io/description: restricted-v2 denies access to all host features and
+      requires pods to be run with a UID, and SELinux context that are allocated to
+      the namespace. This is the most restrictive SCC and it is used by default for
+      authenticated users. On top of the legacy 'restricted' SCC, it also requires
+      to drop ALL capabilities and does not allow privilege escalation binaries. It
+      will also default the seccomp profile to runtime/default if unset, otherwise
+      this seccomp profile is required.
+  creationTimestamp: "2023-07-21T01:43:24Z"
+  generation: 5
+  name: restricted-v2-nginx
+  ownerReferences:
+  - apiVersion: config.openshift.io/v1
+    kind: ClusterVersion
+    name: version
+    uid: c91ec6a6-6a35-456f-8c69-0fb4b52bb3f1
+  resourceVersion: "42852016"
+  uid: 5a284e9d-0f53-48e9-ae24-a121879a182b
 priority: null
 readOnlyRootFilesystem: false
 requiredDropCapabilities: null
 runAsUser:
   type: RunAsAny
 seLinuxContext:
   type: RunAsAny
+seccompProfiles:
+- runtime/default
 supplementalGroups:
   type: RunAsAny
-users:
-- system:serviceaccount:logsample:nginx
+users: []
 volumes:
 - configMap
 - downwardAPI
 - hostPath
-- projected
 - secret