Openshift pod runnning with user id not matching with user in Dockerfile

Question

We had "default" user in Dockerfile and entrypoint shell script , which need to be execute during run time. When we deployed this into Openshift cluster(4.6), pod is having different user and due to this entrypoint shell script is failing hence application is not coming up. Request you to suggest how to execute those shell scripts even with user in POD

Answer 1

Openshift provides security context constraints (SCC) to control permissions for pods. With them you are able to to control permissions/actions that a pod or collection of containers can perform and what resources they can access. Couple of things that SCCs allow an administrator to control:

• Whether a pod can run privileged containers.
• The SELinux context of the container.
• The container user ID.
• The allocation of an FSGroup that owns the pod’s volumes.
• The configuration of allowable supplemental groups.
• Whether a container requires the use of a read only root file system.
• The usage of volume types.

SCCs are composed of settings and strategies that control the security features a pod has access to. If I understood correctly your questions you want to check the RunAsUser strategies:

1. MustRunAs - Requires a runAsUser to be configured. Uses the configured runAsUser as the default. Validates against the configured runAsUser.

2. MustRunAsRange - Requires minimum and maximum values to be defined if not using pre-allocated values. Uses the minimum as the default. Validates against the entire allowable range.

3. MustRunAsNonRoot - Requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined in the image. No default provided.

4. RunAsAny - No default provided. Allows any runAsUser to be specified.

For more please have a look at the official openshift docs.