Description of problem: The image registry "node-ca" securityContext says the pod is privileged and does not specify a user. I (perhaps naively) expected to see the container running as root, while it actually runs as uid=1001. Digging deeper, I see uid=1001 matches up with host file permissions, so it makes sense. I encountered that as part of looking for pods that run as root in prep for running in a financial services environment. - Can you confirm the "node-ca" pod should be privileged? - Would you consider adding "runAsUser: 1001" to the securityContext rather than relying on the container image? If nothing else, it might make this behavior clearer. Version-Release number of selected component (if applicable): $ oc version Client Version: 4.5.0-202005291417-9933eb9 Server Version: 4.6.9 Kubernetes Version: v1.19.0+7070803 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Verified on 4.7.0-0.nightly-2021-02-02-164630: $ oc get ds node-ca -o yaml | grep runAs f:runAsGroup: {} f:runAsUser: {} runAsGroup: 0 runAsUser: 1001 $ oc rsh node-ca-2v56t sh-4.4$ id uid=1001(1001) gid=0(root) groups=0(root)
Looks good to me :-) Thanks! Are there any plans to back-port this?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633