Securing builds by strategy
Builds in OKD are run in privileged containers. Depending on the build strategy used, if you have privileges, you can run builds to escalate their permissions on the cluster and host nodes. And as a security measure, it limits who can run builds and the strategy that is used for those builds. Custom builds are inherently less safe than source builds, because they can execute any code within a privileged container, and are disabled by default. Grant docker build permissions with caution, because a vulnerability in the Dockerfile processing logic could result in a privileges being granted on the host node.
By default, all users that can create builds are granted permission to use the docker and Source-to-image (S2I) build strategies. Users with cluster administrator privileges can enable the custom build strategy, as referenced in the restricting build strategies to a user globally section.
You can control who can build and which build strategies they can use by using an authorization policy. Each build strategy has a corresponding build subresource. A user must have permission to create a build and permission to create on the build strategy subresource to create builds using that strategy. Default roles are provided that grant the create permission on the build strategy subresource.
Strategy | Subresource | Role |
---|---|---|
Docker | builds/docker | system:build-strategy-docker |
Source-to-Image | builds/source | system:build-strategy-source |
Custom | builds/custom | system:build-strategy-custom |
JenkinsPipeline | builds/jenkinspipeline | system:build-strategy-jenkinspipeline |
Disabling access to a build strategy globally
To prevent access to a particular build strategy globally, log in as a user with cluster administrator privileges, remove the corresponding role from the system:authenticated
group, and apply the annotation rbac.authorization.kubernetes.io/autoupdate: "false"
to protect them from changes between the API restarts. The following example shows disabling the docker build strategy.
Procedure
Apply the
rbac.authorization.kubernetes.io/autoupdate
annotation:$ oc edit clusterrolebinding system:build-strategy-docker-binding
Example output
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "false" (1)
creationTimestamp: 2018-08-10T01:24:14Z
name: system:build-strategy-docker-binding
resourceVersion: "225"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/system%3Abuild-strategy-docker-binding
uid: 17b1f3d4-9c3c-11e8-be62-0800277d20bf
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:build-strategy-docker
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
1 Change the rbac.authorization.kubernetes.io/autoupdate
annotation’s value to“false”
.Remove the role:
$ oc adm policy remove-cluster-role-from-group system:build-strategy-docker system:authenticated
Ensure the build strategy subresources are also removed from these roles:
$ oc edit clusterrole admin
$ oc edit clusterrole edit
For each role, specify the subresources that correspond to the resource of the strategy to disable.
Disable the docker Build Strategy for admin:
kind: ClusterRole
metadata:
name: admin
...
- apiGroups:
- ""
- build.openshift.io
resources:
- buildconfigs
- buildconfigs/webhooks
- builds/custom (1)
- builds/source
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
...
1 Add builds/custom
andbuilds/source
to disable docker builds globally for users with the admin role.
Restricting build strategies to users globally
You can allow a set of specific users to create builds with a particular strategy.
Prerequisites
- Disable global access to the build strategy.
Procedure
Assign the role that corresponds to the build strategy to a specific user. For example, to add the
system:build-strategy-docker
cluster role to the userdevuser
:$ oc adm policy add-cluster-role-to-user system:build-strategy-docker devuser
Granting a user access at the cluster level to the
builds/docker
subresource means that the user can create builds with the docker strategy in any project in which they can create builds.
Restricting build strategies to a user within a project
Similar to granting the build strategy role to a user globally, you can allow a set of specific users within a project to create builds with a particular strategy.
Prerequisites
- Disable global access to the build strategy.
Procedure
Assign the role that corresponds to the build strategy to a specific user within a project. For example, to add the
system:build-strategy-docker
role within the projectdevproject
to the userdevuser
:$ oc adm policy add-role-to-user system:build-strategy-docker devuser -n devproject