[Devtools] openshift is way too permissive in the CDK/ADB
Clayton Coleman
ccoleman at redhat.com
Wed May 18 11:10:58 UTC 2016
It was a deliberate choice, predicated on other changes coming to
Docker (user namespaces) plus the desire to ensure demos run.
Ultimately, the CDK is a playground. Putting up chain link fences
around the playground sends the wrong message.
I'd prefer to have it easier to go between the levels in the short
term than to ratchet it back.
> On May 17, 2016, at 11:27 PM, Dusty Mabe <dusty at dustymabe.com> wrote:
>
>
> Currently we are configuring openshift in the CDK/ADB to be more
> permissive than it should be when running containers.
>
> At [1] we are setting:
>
> oadm policy add-scc-to-group anyuid system:authenticated
>
> From my experiments this means that containers run as anyuid and thus
> can be root, cc clayton for confirmation.
>
> What this means is that we are misleading users to thinking things
> will run in production OpenShift, when the production OpenShift most
> likely won't have things configured this way.
>
> We should probably not be doing this. Reverting this change will also
> mean that proposed demos, etc.. should be retested on the newer version
> meticulously.
>
> Dusty
>
> [1] https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
More information about the Devtools
mailing list