[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using Custom SCC and Service Account in Deployment



The uid assigned is not random.  It is the first uid of a range assigned to the namespace.  The value is stored on the namespace as an annotation.  The SCC looks at that range when interpreting MustRunAsRange.  You can set the annotation yourself as you see fit

On Jul 26, 2017, at 2:50 PM, Isuru Haththotuwa <isurulucky gmail com> wrote:

Hi all,

I'm trying to allow Docker containers to be run in openshift using the user specified in the Dockerfile itself, without using a random user id. I see that its possible to do this using the command [1], where all authenticated users will be added to the anyuid group. Without doing this for all users, can I do it for one specific user? I tried the following:
  1. Create a service account in default project using command [2]
  2. Add the service account to the anyuid scc using command [3]
  3. Referred this service account name in the Deployment definition as shown in the sample [4]

However, still the container seems to start with a random user id. Is this approach incorrect? What is the link between service account and the user we set in the Docker images (with USER keyword)?


[1]. oc adm policy add-scc-to-group anyuid system:authenticated

[2]. oc create serviceaccount mysvcacct

[3]. oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct

[4]. https://blog.openshift.com/understanding-service-accounts-sccs/

--
Thanks and Regards,
Isuru
_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]