[Container-tools] openshift is way too permissive in the CDK/ADB

Dusty Mabe dusty at dustymabe.com
Wed May 18 12:28:26 UTC 2016 


On 05/18/2016 07:10 AM, Clayton Coleman wrote:
> It was a deliberate choice, predicated on other changes coming to
> Docker (user namespaces) plus the desire to ensure demos run.
> 

I guess this was surprising to me. To me part of the "promise" of
the CDK is that you are running in an Environment that more closely
resembles production. I know there are many places where this promise
falls apart, but this seems like a fundamental one since this is the
one huge learning gap when going from running in kube to running in 
openshift.

I would almost prefer for this to be a question asked on startup of
the cdk (that can be overriden). The question could explain the
limitation and why it will exist in production and then the user can
choose if they want to ignore and run without restrictions.

As a side note, how far off are user namespaces? From my understanding
that's not really coming soon.

> Ultimately, the CDK is a playground.  Putting up chain link fences
> around the playground sends the wrong message.
> 
> I'd prefer to have it easier to go between the levels in the short
> term than to ratchet it back.
> 


>> On May 17, 2016, at 11:27 PM, Dusty Mabe <dusty at dustymabe.com> wrote:
>>
>>
>> Currently we are configuring openshift in the CDK/ADB to be more
>> permissive than it should be when running containers.
>>
>> At [1] we are setting:
>>
>>    oadm policy add-scc-to-group anyuid system:authenticated
>>
>> From my experiments this means that containers run as anyuid and thus
>> can be root, cc clayton for confirmation.
>>
>> What this means is that we are misleading users to thinking things
>> will run in production OpenShift, when the production OpenShift most
>> likely won't have things configured this way.
>>
>> We should probably not be doing this. Reverting this change will also
>> mean that proposed demos, etc.. should be retested on the newer version
>> meticulously.
>>
>> Dusty
>>
>> [1] https://github.com/projectatomic/adb-utils/blob/01adadd904dea98033c9c83d0648d90f5e8f2806/services/openshift/scripts/openshift_provision#L47

More information about the Container-tools mailing list