DEV Community

Cover image for Allow Containers to run as root on OpenShift 4 : Hack
karan singh
karan singh

Posted on

Allow Containers to run as root on OpenShift 4 : Hack

🤫 Don’t tell anyone that i shared this trick with you

Let me tell you that OpenShift is the most secure Kubernetes distribution on this planet. So OpenShift has the responsibility to secure your apps, which is why OpenShift does not allow containers to run as root.

“ First Principles : Never ever run your containers as root user”

Having said that, there are some instances when you want to run a pokemon container image that you found on some random container repository and want to run that to your OpenShift homelab/dev/test clusters.

Well to do so, you need to allow running container image as root and this is how you can do it.

  1. Login to OpenShift as system:admin
oc login -u system:admin -n default
Enter fullscreen mode Exit fullscreen mode

2. Create a new project where you will be running that in-secure container

oc new-project pokemon-prj
Enter fullscreen mode Exit fullscreen mode

3. Add the security policy anyuid to the service account responsible for creating your deployment, by default this user is default. The dash z indicates that we want to manipulate a service account

oc adm policy add-scc-to-user anyuid -z default
Enter fullscreen mode Exit fullscreen mode

4. You are all set, go and deploy or re-deploy your containers, it should work now, in pokemon-prj project

Summary

  • Don’t ever run containers as root in production environments
  • Don’t tell anyone that you learned this hack from this blog

Top comments (2)

Collapse
 
ewoks profile image
Beeblebrox • Edited

...and you just enabled security hole for the whole cluster 🤦
I know you want to get clicks and views using "marketing" shenanigans and you added bullet point in summary. It's not a "hack", it is simply unprofessional.

It is a feature, It is not designed by mistake so, not so someone can "hack it with a trick not told to anyone", but because container running as root has full control of the host system and you help inexperienced people to shoot themselves to the foot.

Maybe this helps to understand how big issue root in container can be:
redhat.com/en/blog/preview-running...
redhat.com/en/blog/understanding-r...

Collapse
 
vmmmmv profile image
VMM-MMV • Edited

What about initContainers? I have an app that requires write permission, the way I solved it now, is that I gave the group on that folder root permission:
RUN chgrp -R 0 /application && \
chmod -R g=u /application

But to do this I have to make another docker image. So, I thought what if I make the folder inside the initContainer and then connected it to the actual container with a mount.

initContainers:
        - name: init-chmod-data
          image: busybox
          command:
            - /bin/sh
            - -c
            - |
              mkdir -p /prometheus
              chown -R 1001:0 /prometheus
              chmod -R g=u /prometheus
          volumeMounts:
            - name: prometheus-data
              mountPath: /prometheus
          securityContext:
            runAsUser: 0
            runAsGroup: 0

      containers:
        - name: prometheus
          image: prom/prometheus:latest
          ports:
            - containerPort: 9090
          volumeMounts:
            - name: prometheus-data
              mountPath: /prometheus
Enter fullscreen mode Exit fullscreen mode

But I require, permission for this. So is it okay in such a scenario?