[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security implications of "runAsUser: type: RunAsAny"



If you relax restricted for all users, then yes, anyone who can oc
login can run as root on your cluster.

On Tue, Oct 27, 2015 at 12:21 PM, "Gerhard Müller" <vekt0r7 gmx net> wrote:
> Hello
>
> I am trying to understand the security implications of doing "oc edit scc"
> and using
>   runAsUser:
>     type: RunAsAny
> for "name: restricted".
>
> This makes it possible for pods in openshift to have processes inside them
> that run as root. If I set this for "name: restricted" most of the
> containers from docker.io will run in OpenShift... which is very useful.
> Will the people who login to the cluster via "oc login" be able to do funny
> things if the restricted pods have "type: RunAsAny"?
>
> regards
> v
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]