[Container-tools] openshift is way too permissive in the CDK/ADB
Dusty Mabe
dusty at dustymabe.com
Wed May 18 03:27:07 UTC 2016
Currently we are configuring openshift in the CDK/ADB to be more
permissive than it should be when running containers.
At [1] we are setting:
oadm policy add-scc-to-group anyuid system:authenticated
>From my experiments this means that containers run as anyuid and thus
can be root, cc clayton for confirmation.
What this means is that we are misleading users to thinking things
will run in production OpenShift, when the production OpenShift most
likely won't have things configured this way.
We should probably not be doing this. Reverting this change will also
mean that proposed demos, etc.. should be retested on the newer version
meticulously.
Dusty
[1] https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47
More information about the Container-tools
mailing list