Tuesday, October 15, 2019

joy of Openshift SCC

if you do

oc describe project

you will see 2 annotations

openshift.io/sa.scc.supplemental-groups=1000800000/10000
openshift.io/sa.scc.uid-range=1000800000/10000


Even if you specify a "USER 10001" in your Dockerfile, your actual uid will be remapped withing the range specified by those 2 annotations (the second parameter "/10000" is the block length! meaning that you can have 10000 different users starting from uid 1000800000 ) :

sh-4.2$ id
uid=1000800000(root) gid=0(root) groups=0(root),1000800000
sh-4.2$ id root
uid=0(root) gid=0(root) groups=0(root)


and in order for this new user to be a first class citizen in your Linux, you must run a uid_entrypoint script to append it to /etc/passwd

for more details:

https://docs.openshift.com/enterprise/3.1/architecture/additional_concepts/authorization.html

https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines




No comments: