You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When installing a namespace-scoped Argo CD instance, the argocd-redis pods are assigned the nonroot-v2 SecurityContextConstraints (SCC) instead of the default restricted-v2 SCC. This results in the pods having higher privileges than expected.
This issue appears to originate from the Redis container image, which explicitly sets RunAsUser: 999, requiring nonroot-v2 SCC instead of the more restrictive restricted-v2 SCC.
Key Question
Is there a specific reason the Redis container must run as UID 999 instead of using a dynamically assigned UID?
Security Concern: Elevated Privileges for Redis ServiceAccount
In OpenShift, SecurityContextConstraints (SCCs) define the security policies under which pods operate.
Expected SCC for namespace-scoped Argo CD instances: restricted-v2 (enforces randomized UID allocation and strict privilege restrictions).
Current SCC for Redis pods: nonroot-v2 (allows running as a fixed UID, in this case, 999, which grants higher privileges).
This discrepancy raises potential security concerns, as unprivileged users may be able to deploy a pod using the argocd-redis ServiceAccount with elevated privileges.
The text was updated successfully, but these errors were encountered:
Description
When installing a namespace-scoped Argo CD instance, the argocd-redis pods are assigned the nonroot-v2 SecurityContextConstraints (SCC) instead of the default restricted-v2 SCC. This results in the pods having higher privileges than expected.
This issue appears to originate from the Redis container image, which explicitly sets RunAsUser: 999, requiring nonroot-v2 SCC instead of the more restrictive restricted-v2 SCC.
Key Question
Is there a specific reason the Redis container must run as UID 999 instead of using a dynamically assigned UID?
Security Concern: Elevated Privileges for Redis ServiceAccount
In OpenShift, SecurityContextConstraints (SCCs) define the security policies under which pods operate.
Expected SCC for namespace-scoped Argo CD instances: restricted-v2 (enforces randomized UID allocation and strict privilege restrictions).
Current SCC for Redis pods: nonroot-v2 (allows running as a fixed UID, in this case, 999, which grants higher privileges).
This discrepancy raises potential security concerns, as unprivileged users may be able to deploy a pod using the argocd-redis ServiceAccount with elevated privileges.
The text was updated successfully, but these errors were encountered: