[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: MustRunAsRange vs MustRunAsNonRoot

Range means that the uid will be defaulted and limited to the range
specified on the namespace (scc.sa.uid).  The default is the first
element in the range.

NonRoot may not apply defaulting (although technically it could), and
simply requires that the container have a non zero, numeric uid.
Defaulting is a little special here - we don't default in the API, but
instead wait until the container image is pulled.  If the image has a
user > 0 (numeric) it'll be allowed through, otherwise the pod should
be failed.

Now that we have the image resolver, it would certainly be possible to
do that calculation via image resolution and report it to get early

> On May 20, 2017, at 6:27 AM, Andrew Lau <andrew andrewklau com> wrote:
> I'm looking to find some clarification on the difference between MustRunAsRange vs MustRunAsNonRoot
> MustRunAsRange seems to be the cluster default, this allow containers to run even if they are not having the USER definition
> Many pages seem to tout OpenShift does not run containers as root, and the web console also suggests it may be blocked but still lets them run.
> Thanks
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]