🤫 Don’t tell anyone that i shared this trick with you
Let me tell you that OpenShift is the most secure Kubernetes distribution on this planet. So OpenShift has the responsibility to secure your apps, which is why OpenShift does not allow containers to run as root.
“ First Principles : Never ever run your containers as root user”
Having said that, there are some instances when you want to run a pokemon container image that you found on some random container repository and want to run that to your OpenShift homelab/dev/test clusters.
Well to do so, you need to allow running container image as root and this is how you can do it.
- Login to OpenShift as system:admin
oc login -u system:admin -n default
2. Create a new project where you will be running that in-secure container
oc new-project pokemon-prj
3. Add the security policy anyuid
to the service account responsible for creating your deployment, by default this user is default. The dash z
indicates that we want to manipulate a service account
oc adm policy add-scc-to-user anyuid -z default
4. You are all set, go and deploy or re-deploy your containers, it should work now, in pokemon-prj
project
Summary
- Don’t ever run containers as root in production environments
- Don’t tell anyone that you learned this hack from this blog
Top comments (2)
...and you just enabled security hole for the whole cluster 🤦
I know you want to get clicks and views using "marketing" shenanigans and you added bullet point in summary. It's not a "hack", it is simply unprofessional.
It is a feature, It is not designed by mistake so, not so someone can "hack it with a trick not told to anyone", but because container running as root has full control of the host system and you help inexperienced people to shoot themselves to the foot.
Maybe this helps to understand how big issue root in container can be:
redhat.com/en/blog/preview-running...
redhat.com/en/blog/understanding-r...
What about initContainers? I have an app that requires write permission, the way I solved it now, is that I gave the group on that folder root permission:
RUN chgrp -R 0 /application && \
chmod -R g=u /application
But to do this I have to make another docker image. So, I thought what if I make the folder inside the initContainer and then connected it to the actual container with a mount.
But I require, permission for this. So is it okay in such a scenario?