Currently we are configuring openshift in the CDK/ADB to be more permissive than it should be when running containers.
At [1] we are setting: oadm policy add-scc-to-group anyuid system:authenticated >From my experiments this means that containers run as anyuid and thus can be root, cc clayton for confirmation. What this means is that we are misleading users to thinking things will run in production OpenShift, when the production OpenShift most likely won't have things configured this way. We should probably not be doing this. Reverting this change will also mean that proposed demos, etc.. should be retested on the newer version meticulously. Dusty [1] https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47 _______________________________________________ Container-tools mailing list Container-tools@redhat.com https://www.redhat.com/mailman/listinfo/container-tools