Description of problem: Failed to prevent s2i builder images from running as root Version-Release number of selected component (if applicable): openshift v3.5.5.31.67 kubernetes v1.5.2+43a9be4 etcd 3.1.0 How reproducible: Always Steps to Reproduce: 1.Build image with Dockerfile set instruction "USER 0" in it 2.Use above built image to do s2i build $ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/build/tc499515/test-buildconfig-user0.json 3.Check build status Actual results: Build is completed Expected results: Build is failed with error in log: "must specify a user that is numeric and within the range of allowed users" Additional info:
Also can reproduce on release verson v3.5.5.31.66, so removing regression keyword.
Could not reproduce with default installation (origin 1.5 via oc cluster up). These builds can be allowed if the cluster admin grants the `builder` service account an elevated security context constraint, such as `anyuid`. Can you please provide the security context constraints applied to the builder service account for these tests?
Related bug: https://bugzilla.redhat.com/show_bug.cgi?id=1464356
Pull Request: https://github.com/openshift/ose/pull/1272
Verified oc v3.5.5.31.80 kubernetes v1.5.2+43a9be4 features: Basic-Auth GSSAPI Kerberos SPNEGO Server openshift v3.5.5.31.80 kubernetes v1.5.2+43a9be4 # oc logs -f build/ruby-sample-build-user0-1 Cloning "https://github.com/openshift/ruby-hello-world.git" ... Commit: 7ccd3242c49c3868195ca9400a539fa611111096 (Merge pull request #71 from bparees/gemfile2) Author: Ben Parees <bparees.github.com> Date: Fri Feb 9 18:24:07 2018 -0500 error: build error: image "docker.io/aosqe/ruby-20-centos7:user0" must specify a user that is numeric and within the range of allowed users
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:3624