Currently we are configuring openshift in the CDK/ADB to be more
permissive than it should be when running containers.
At [1] we are setting:
oadm policy add-scc-to-group anyuid system:authenticated
>From my experiments this means that containers run as anyuid and thus
can be root, cc clayton for confirmation.
What this means is that we are misleading users to thinking things
will run in production OpenShift, when the production OpenShift most
likely won't have things configured this way.
We should probably not be doing this. Reverting this change will also
mean that proposed demos, etc.. should be retested on the newer version
meticulously.
Dusty
[1]
https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
_______________________________________________
Container-tools mailing list
Container-tools@redhat.com
https://www.redhat.com/mailman/listinfo/container-tools
