OpenShift Security Context Constraints mismatch

[gnieser]

Hello

I thought it would make more sense to continue the discussion from #989 in a distinct issue, hence I'm opening this ticket to report the mismatch between the helm chart and OpenShift default Security Context Constraints. (Tested with Code Ready Container v4.13).

Output of helm install

W0821 07:57:17.613177    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": runAsNonRoot != true (container "alfresco-content-services" must not set securityContext.runAsNonRoot=false)
W0821 07:57:17.631141    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.631141    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "activemq" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635153    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.635572    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "alfresco-control-center" must set securityContext.allowPrivilegeEscalation=false), seccompProfile (pod or container "alfresco-control-center" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.639977    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.643660    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.655524    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or container "alfresco-search" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.782326    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": seccompProfile (pod or containers "wait-db-ready", "alfresco-content-services" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
W0821 07:57:17.841770    1884 warnings.go:70] would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "postgresql" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "postgresql" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "postgresql" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "postgresql" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

I find that the Helm output logs do not give the proper impression of the mismatch between securityContext definition and the default SCC available.
When looking at each resource individually, we can see the reasons why each default SCC cannot be used. Most of the time, runAsUser has a value lower than the valid range of the restricted-v2 SCC.

alfresco-postgresql-acs StatefulSet

create Pod alfresco-postgresql-acs-0 in StatefulSet alfresco-postgresql-acs failed error: pods "alfresco-postgresql-acs-0" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 1001: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-active-mq Deployment

pods "alfresco-activemq-dc4c6c95b-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33031: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-active-cc Deployment

pods "alfresco-alfresco-cc-598884f77d-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 101: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-alfresco-cs-imagemagick Deployment

pods "alfresco-alfresco-cs-imagemagick-57d5b8b95f-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33002: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-alfresco-cs-libreoffice Deployment

pods "alfresco-alfresco-cs-libreoffice-cc569bc75-" is forbidden: unable
to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2:
.containers[0].runAsUser: Invalid value: 33003: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-alfresco-cs-pdfrenderer Deployment

pods "alfresco-alfresco-cs-pdfrenderer-576995585-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33001: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-alfresco-cs-repository Deployment

pods "alfresco-alfresco-cs-repository-5c77f58d5f-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1000}: 1000 is not an allowed group,
provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 33000: must be in the ranges: [1000670000, 1000679999],
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33000: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-alfresco-cs-tika Deployment

pods "alfresco-alfresco-cs-tika-6457b98b57-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33004: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-alfresco-cs-transform-misc Deployment

pods "alfresco-alfresco-cs-transform-misc-6f94976c8c-" is forbidden: unable to validate against any security context constraint: [
provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33006: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

alfresco-alfresco-search-solr Deployment

pods "alfresco-alfresco-search-solr-5c6d4d9bfc-" is forbidden: unable to
validate against any security context constraint: [provider "anyuid":
Forbidden: not usable by user or serviceaccount,
provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{33007}: 33007 is not an allowed group,
provider restricted-v2: .containers[0].runAsUser: Invalid value: 33007: must be in the ranges: [1000670000, 1000679999],
provider "restricted": Forbidden: not usable by user or serviceaccount,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]

[gnieser]

To accommodate the non root uids, one can allow the slightly lower SCC nonroot-v2 for the target namespace service account.

However, alfresco-content-services container in alfresco-cs-share deployment still fails due to a denied root privilege.
Using default SCC anyuid with all security implications let the pod run without permission issue.

By the way, the (first?) permission issue in the container, if run without root privilege, is:

Replace 'REPO_HOST' with 'alfresco-alfresco-cs-repository' and 'REPO_PORT' with '80'
sed: couldn't open temporary file /usr/local/tomcat/shared/classes/alfresco/web-extension/sedubFq2G: Permission denied

[gionn]

Replace 'REPO_HOST' with 'alfresco-alfresco-cs-repository' and 'REPO_PORT' with '80'
sed: couldn't open temporary file /usr/local/tomcat/shared/classes/alfresco/web-extension/sedubFq2G: Permission denied

ok this is actually the issue we are already aware of (internally tracked as APPS-1832) for which we don't really have any workaround yet.

[OpenPj]

Is there any kind of workaround to resolve this issue now?

[alxgomz]

Share reference image still suffers from this issue but the one produced using Alfresco Bakery at least runs as a non-root user
https://github.com/Alfresco/alfresco-dockerfiles-bakery/blob/865ecf9e5edb069471fbedba357deb5703bb2100/share/Dockerfile#L65
Although we did not test it should pass the non-root-v2 SCC 🤞