[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Openshift Online Restriction Problem



2017-04-12 18:25 GMT+02:00 Steven Pousty <scitronp redhat com>:
Have you tried shelling into the pod and then doing a whoami?
Just being extra sure ;)

I bet that pod has been run under unprivileged user and this user is different from what was specified in the Dockerfile. This happens because "restricted" Security Context Constraint were used which doen't allow to run containers with user defined UIDs. When restricted SCC is in use then container is running with a random generated UID. This can be proved by inspecting Security Context of container:

$ echo `oc get pod env-user-wb0r2 -o 'jsonpath={.spec.containers[0].securityContext.runAsUser}'`
1000040000

To allow to use USER from Dockerfile we need to grant access to anyuid SCC. Example from our documentation (https://docs.openshift.org/latest/admin_guide/manage_scc.html#enable-images-to-run-with-user-in-the-dockerfile):

$ oadm policy add-scc-to-group anyuid system:authenticated

After this, when we create a pod it will have empty runAsUser attribute:

$ echo `oc get pod env-user-z6cq6 -o 'jsonpath={.spec.containers[0].securityContext.runAsUser}'`


At this point we found a reason and we know how it could be solved but I'm not sure that OpenShift Online allows to use anyuid SCC because it also allows to run pods under root user.


--
Slava Semushin | OpenShift

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]