Reputation: 641
How to give a container root permission (serviceaccount) before starting the build
Openshift does not allow to run containers as root, but you can do this by creating a service account:
oc adm policy add-scc-to-user anyuid -z useroot
and then patching the deployment configuration, this will consequently deploy a new replication controller version with the new changes, is it possible to create the service account and include it in the following command:
oc new-app --name=test --docker-image=myregistry.com/test:latest
and have the service Account name included in the above command to avoid having a new version of the app or if there's any other possibility to foresee this root permission error and decrease the security for the pod to run as root without patching or redeploy the app
Upvotes: 1
Views: 6158
Answers (1)
Reputation: 4703
Will and Graham has already provided great comments for you, so I suggest additional practical details of them as follows.
If you grant anyuid scc to default ServiceAccount before oc new-app, the test pods are going to run as root permission without version change.
# oc adm policy add-scc-to-user anyuid -z default
# oc new-app --name=test --docker-image=myregistry.com/test:latest
# oc rollout history dc/test
deploymentconfigs "test"
REVISION STATUS CAUSE
1 Complete config change
# oc rsh dc/test id
uid=0(root) gid=0(root) groups=0(root)
OR
If you need to specify the custom ServiceAccount name, you can extract oc new-app yaml and create resources after add serviceAccountName: useroot element to it. These steps also do not change the deployment version.
# oc create sa useroot
# oc adm policy add-scc-to-user anyuid -z useroot
# oc new-app --name=test --docker-image=myregistry.com/test:latest -o yaml --dry-run > test.yml
# vim test.yml
apiVersion: v1
items:
- apiVersion: apps.openshift.io/v1
kind: DeploymentConfig
...
spec:
...
template:
spec:
serviceAccountName: useroot
...
# oc create -f ./test.yml
imagestream.image.openshift.io/test created
deploymentconfig.apps.openshift.io/test created
service/test created
# oc rollout history dc/test
deploymentconfigs "test"
REVISION STATUS CAUSE
1 Complete config change
# oc rsh dc/test id
uid=0(root) gid=0(root) groups=0(root)
Upvotes: 3
Related Questions
- Openshift missing permissions to create a file
- Run Openshift pod as root user
- Openshift 4 - Mkdir command gets permission denied error
- How do I change the permissions in openshift container platform?
- How to create an Image with non-root access from a Dockerfile for OpenShift?
- openshift: allow serviceaccount to create project
- How do you run an Openshift Docker container as something besides root?
- Openshift privileged container access services from openshift namespace
- Kubernetes openshift : Permission denied during deployment
- Openshift (Origin) Enable Images to Run with ROOT user