[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security implications of "runAsUser: type: RunAsAny"



I wonder, since the docker will be map using a dedicated route, don't you think it's wiser (more secure) to let run ngnix on another port with less privileges let's say 9090 then map your openshift route to it ?

(It might not be that simple, but worth asking ;-)

Le 17 nov. 2015 5:24 AM, "Clayton Coleman" <ccoleman redhat com> a écrit :
Yes, you can do that

On Nov 16, 2015, at 10:55 PM, Jason DeTiberus <jdetiber redhat com> wrote:


On Nov 16, 2015 10:49 PM, "Clayton Coleman" <ccoleman redhat com> wrote:
>
> Yes - but if you enable the experimental user namespaces feature in docker 1.9, you won't be able to run routers or admin level pods on nodes.  Until we get fixes into a Docker it's somewhat limiting.

Is this something that can be worked around by using "infra" nodes to host the routers and admin level pods with user namespaces disabled and enabling user namespaces elsewhere?

>
> On Nov 16, 2015, at 8:57 PM, Philippe Lafoucrière <philippe lafoucriere tech-angels com> wrote:
>
>> Hmm, I'm not talking about "privileged" containers (in the docker way), I just want to run standard containers that users can find on the docker hub, like "nginx". It doesn't have to run privileged, it's just running as root inside.
>> As this image does as well:
>> https://github.com/nginxinc/openshift-nginx
>> It needs to run as root to bind the port 80 (but not only).
>>
>> Thanks
>> ​
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]