0

Openshift does not allow to run containers as root, but you can do this by creating a service account:

oc adm policy add-scc-to-user anyuid -z useroot

and then patching the deployment configuration, this will consequently deploy a new replication controller version with the new changes, is it possible to create the service account and include it in the following command: 

oc new-app --name=test --docker-image=myregistry.com/test:latest

and have the service Account name included in the above command to avoid having a new version of the app or if there's any other possibility to foresee this root permission error and decrease the security for the pod to run as root without patching or redeploy the app

Miira ben sghaier
  • 565
  • 5
  • 7
  • You shouldn't need a service account...last I played around with this, you should be able to give your user the permission (just leave off the `-z` and use your username)...and that should be enough to make it work. But, honestly, it's been awhile since I did this. At least maybe it'll be something worth testing? – Will Gordon Mar 30 '19 at 23:42
  • 1
    Not you own user, but the ``default`` service account of the project. Doing that is not really recommended though as then everything in the project could run as ``root``. Best practice is to use a separate service account. See https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html – Graham Dumpleton Mar 31 '19 at 04:06
  • Thank you all for your response I’ll make sure to try the provided solution – Miira ben sghaier Mar 31 '19 at 18:42

1 Answers1

3

Will and Graham has already provided great comments for you, so I suggest additional practical details of them as follows.

If you grant anyuid scc to default ServiceAccount before oc new-app, the test pods are going to run as root permission without version change.

# oc adm policy add-scc-to-user anyuid -z default
# oc new-app --name=test --docker-image=myregistry.com/test:latest

# oc rollout history dc/test
deploymentconfigs "test"
REVISION    STATUS      CAUSE
1       Complete    config change

# oc rsh dc/test id
uid=0(root) gid=0(root) groups=0(root)

OR

If you need to specify the custom ServiceAccount name, you can extract oc new-app yaml and create resources after add serviceAccountName: useroot element to it. These steps also do not change the deployment version.

# oc create sa useroot
# oc adm policy add-scc-to-user anyuid -z useroot
# oc new-app --name=test --docker-image=myregistry.com/test:latest -o yaml --dry-run > test.yml
# vim test.yml
apiVersion: v1
items:
- apiVersion: apps.openshift.io/v1
  kind: DeploymentConfig
  ...
  spec:
  ...
    template:
      spec:
        serviceAccountName: useroot
  ...
# oc create -f ./test.yml
imagestream.image.openshift.io/test created
deploymentconfig.apps.openshift.io/test created
service/test created

# oc rollout history dc/test
deploymentconfigs "test"
REVISION    STATUS      CAUSE
1       Complete    config change

# oc rsh dc/test id
uid=0(root) gid=0(root) groups=0(root)
Graham Dumpleton
  • 57,726
  • 6
  • 119
  • 134
Daein Park
  • 4,393
  • 2
  • 12
  • 21