OK, thanks.
What's the recommended approach to running a specific container that
cannot work with an allocated ID from the range.
I try running such an image (oc new-app repo/image) as a normal user and
it fails as it doesn't run with a randomly assigned userid.
I can resolve this by editing the "restricted" SCC configuration, but
that would apply to all containers which might not be what is wanted.
Instead I tried doing this with the system:admin user as I believed that
would do this with the privileged SCC, but that does not seem to be the
case as the container fails to start for the same reason as when running
with a normal user.
So what is the recommended approach for running a specific container
with a different SCC?
Tim
On 08/06/2017 18:34, Vyacheslav Semushin wrote:
2017-06-08 19:17 GMT+02:00 Tim Dudgeon <[email protected]
<mailto:[email protected]>>:
I'm struggling to find a full definition of the different values
for the runAsUser.Type option for Security Context Constraints.
It should be here:
https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#authorization-RunAsUser
I found mention of MustRunAsRange, RunAsAny and MustRunAsNonRoot.
Is there an option for run as the specified user unless it is
root, in which case allocate an id from the range?
I think no, there is no such option.
The behavior that you are requesting could be unexpected for many
users. If someone defines that his image needs to be run under root
user than he has reason for that. In most cases, it means that if
OpenShift will try to run such an image under unprivileged user,
container won't start or won't work.
--
Slava Semushin | OpenShift
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
