The uid assigned is not random. It is the first uid of a range assigned to the namespace. The value is stored on the namespace as an annotation. The SCC looks at that range when interpreting MustRunAsRange. You can set the annotation yourself as you see fit
On Jul 26, 2017, at 2:50 PM, Isuru Haththotuwa <[email protected]> wrote: Hi all, I'm trying to allow Docker containers to be run in openshift using the user specified in the Dockerfile itself, without using a random user id. I see that its possible to do this using the command [1], where all authenticated users will be added to the anyuid group. Without doing this for all users, can I do it for one specific user? I tried the following: 1. Create a service account in default project using command [2] 2. Add the service account to the anyuid scc using command [3] 3. Referred this service account name in the Deployment definition as shown in the sample [4] However, still the container seems to start with a random user id. Is this approach incorrect? What is the link between service account and the user we set in the Docker images (with USER keyword)? [1]. oc adm policy add-scc-to-group anyuid system:authenticated [2]. oc create serviceaccount mysvcacct [3]. oc adm policy add-scc-to-user anyuid system:serviceaccount:mysvcacct [4]. https://blog.openshift.com/understanding-service-accounts-sccs/ -- Thanks and Regards, Isuru _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
