Description of problem:
The image registry "node-ca" securityContext says the pod is privileged and does not specify a user. I (perhaps naively) expected to see the container running as root, while it actually runs as uid=1001. Digging deeper, I see uid=1001 matches up with host file permissions, so it makes sense.
I encountered that as part of looking for pods that run as root in prep for running in a financial services environment.
- Can you confirm the "node-ca" pod should be privileged?
- Would you consider adding "runAsUser: 1001" to the securityContext rather than relying on the container image? If nothing else, it might make this behavior clearer.
Version-Release number of selected component (if applicable):
$ oc version
Client Version: 4.5.0-202005291417-9933eb9
Server Version: 4.6.9
Kubernetes Version: v1.19.0+7070803
Steps to Reproduce:
Verified on 4.7.0-0.nightly-2021-02-02-164630:
$ oc get ds node-ca -o yaml | grep runAs
$ oc rsh node-ca-2v56t
uid=1001(1001) gid=0(root) groups=0(root)
Looks good to me :-) Thanks!
Are there any plans to back-port this?
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.