Allow Containers to run as root on OpenShift 4 : Hack

#openshift #root #container

🤫 Don’t tell anyone that i shared this trick with you

Let me tell you that OpenShift is the most secure Kubernetes distribution on this planet. So OpenShift has the responsibility to secure your apps, which is why OpenShift does not allow containers to run as root.

“ First Principles : Never ever run your containers as root user”

Having said that, there are some instances when you want to run a pokemon container image that you found on some random container repository and want to run that to your OpenShift homelab/dev/test clusters.

Well to do so, you need to allow running container image as root and this is how you can do it.

oc login -u system:admin -n default

2. Create a new project where you will be running that in-secure container

oc new-project pokemon-prj

3. Add the security policy anyuid to the service account responsible for creating your deployment, by default this user is default. The dash z indicates that we want to manipulate a service account

oc adm policy add-scc-to-user anyuid -z default

4. You are all set, go and deploy or re-deploy your containers, it should work now, in pokemon-prj project

Summary

Don’t ever run containers as root in production environments
Don’t tell anyone that you learned this hack from this blog

Top comments (2)

Beeblebrox • Jan 22 '23 • Edited

...and you just enabled security hole for the whole cluster 🤦
I know you want to get clicks and views using "marketing" shenanigans and you added bullet point in summary. It's not a "hack", it is simply unprofessional.

It is a feature, It is not designed by mistake so, not so someone can "hack it with a trick not told to anyone", but because container running as root has full control of the host system and you help inexperienced people to shoot themselves to the foot.

Maybe this helps to understand how big issue root in container can be:
redhat.com/en/blog/preview-running...
redhat.com/en/blog/understanding-r...

VMM-MMV • Jan 22 • Edited

What about initContainers? I have an app that requires write permission, the way I solved it now, is that I gave the group on that folder root permission:
RUN chgrp -R 0 /application && \ chmod -R g=u /application
But to do this I have to make another docker image. So, I thought what if I make the folder inside the initContainer and then connected it to the actual container with a mount.

initContainers:
        - name: init-chmod-data
          image: busybox
          command:
            - /bin/sh
            - -c
            - |
              mkdir -p /prometheus
              chown -R 1001:0 /prometheus
              chmod -R g=u /prometheus
          volumeMounts:
            - name: prometheus-data
              mountPath: /prometheus
          securityContext:
            runAsUser: 0
            runAsGroup: 0

      containers:
        - name: prometheus
          image: prom/prometheus:latest
          ports:
            - containerPort: 9090
          volumeMounts:
            - name: prometheus-data
              mountPath: /prometheus

But I require, permission for this. So is it okay in such a scenario?

DEV Community

Allow Containers to run as root on OpenShift 4 : Hack

Summary

Top comments (2)

Read next

A Beginner’s Guide to Docker Image for Developers

A Beginner’s Guide to Docker Networking for Developers

Comparison of Two Methods for Deploying Azure Functions to Azure Container Apps

Optimizing Docker Images for Size and Security: A Comprehensive Guide