As root, you have access to some of the kernel devices. Generally
that means you can do *anything* to the system because a number of
core kernel resources are not namespaced. A good example is
Some of this will be improved once user namespaces land in Docker, but
until then being able to run as uid 0 (root) inside a container is
basically giving your users access to run as root on the host machine.
On Tue, Oct 27, 2015 at 5:32 PM, v <vekt0r7 gmx net> wrote:
> Could you give me an example of the dangerous things that people could do to the nodes in my cluster with "type: RunAsAny"?
> I am not sure how much nasty stuff people could do with that. We should have SELinux type enforcement and MCS labels to keep the pods in check.
> Am 2015-10-27 um 17:44 schrieb Clayton Coleman:
>> If you relax restricted for all users, then yes, anyone who can oc
>> login can run as root on your cluster.
>> On Tue, Oct 27, 2015 at 12:21 PM, "Gerhard Müller" <vekt0r7 gmx net> wrote:
>>> I am trying to understand the security implications of doing "oc edit scc"
>>> and using
>>> type: RunAsAny
>>> for "name: restricted".
>>> This makes it possible for pods in openshift to have processes inside them
>>> that run as root. If I set this for "name: restricted" most of the
>>> containers from docker.io will run in OpenShift... which is very useful.
>>> Will the people who login to the cluster via "oc login" be able to do funny
>>> things if the restricted pods have "type: RunAsAny"?
>>> users mailing list
>>> users lists openshift redhat com
>> users mailing list
>> users lists openshift redhat com
> users mailing list
> users lists openshift redhat com