Description of problem: We see these pods running as root in our 4.6 cluster. I didn't see a reason why they need to do that. - openshift-multus/multus-admission-controller (multus-admission-controller container) - openshift-multus/network-metrics-daemon (network-metrics-daemon container) To run in a financial services environment we need to explain why these are running as root or (preferably) change them if root is not required. Can you provide an explanation or change these as appropriate? Version-Release number of selected component (if applicable): $ oc version Client Version: 4.5.0-202005291417-9933eb9 Server Version: 4.6.9 Kubernetes Version: v1.19.0+7070803 How reproducible: Always Steps to Reproduce: 1. Run 'oc exec -n NS POD -- ps -e -o pid,uid,cmd' Actual results: + oc exec -n openshift-multus multus-admission-controller-5t6l4 -c multus-admission-controller -- ps -e -o pid,uid,cmd PID UID CMD 1 0 /usr/bin/webhook -bind-address=0.0.0.0 -port=6443 -tls-private-key-file=/etc/webhook/tls.key -tls-cert-file=/etc/webhook/tls.crt -alsologtostderr=true -metrics-listen-address=127.0.0.1:9091 + oc exec -n openshift-multus network-metrics-daemon-5t8sw -c network-metrics-daemon -- ps -e -o pid,uid,cmd PID UID CMD 1 0 /usr/bin/network-metrics --node-name 10.171.43.196 Expected results: UID is not 0 Additional info:
Looks good! Thanks Nikhil ------------------------------ results $ oc exec -n openshift-multus multus-admission-controller-gfjrl -c multus-admission-controller -- ps -e -o pid,uid,cmd PID UID CMD 1 65534 /usr/bin/webhook -bind-address=0.0.0.0 -port=6443 -tls-private-key-file=/etc/webhook/tls.key -tls-cert-file=/etc/webhook/tls.crt -alsologtostderr=true -metrics-listen-address=127.0.0.1:9091 17 65534 ps -e -o pid,uid,cmd $ oc exec -n openshift-multus network-metrics-daemon-bcn9c -c network-metrics-daemon -- ps -e -o pid,uid,cmd PID UID CMD 1 65534 /usr/bin/network-metrics --node-name ci-ln-7bfwsy2-f76d1-npgwd-master-2 16 65534 ps -e -o pid,uid,cmd
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759