Search code examples
openshiftopenshift-3

How to give a container root permission (serviceaccount) before starting the build

Openshift does not allow to run containers as root, but you can do this by creating a service account:

oc adm policy add-scc-to-user anyuid -z useroot

and then patching the deployment configuration, this will consequently deploy a new replication controller version with the new changes, is it possible to create the service account and include it in the following command: 

oc new-app --name=test --docker-image=myregistry.com/test:latest

and have the service Account name included in the above command to avoid having a new version of the app or if there's any other possibility to foresee this root permission error and decrease the security for the pod to run as root without patching or redeploy the app

Solution

  • Will and Graham has already provided great comments for you, so I suggest additional practical details of them as follows.

    If you grant anyuid scc to default ServiceAccount before oc new-app, the test pods are going to run as root permission without version change.

    # oc adm policy add-scc-to-user anyuid -z default
# oc new-app --name=test --docker-image=myregistry.com/test:latest

# oc rollout history dc/test
deploymentconfigs "test"
REVISION    STATUS      CAUSE
1       Complete    config change

# oc rsh dc/test id
uid=0(root) gid=0(root) groups=0(root)

    OR

    If you need to specify the custom ServiceAccount name, you can extract oc new-app yaml and create resources after add serviceAccountName: useroot element to it. These steps also do not change the deployment version.

    # oc create sa useroot
# oc adm policy add-scc-to-user anyuid -z useroot
# oc new-app --name=test --docker-image=myregistry.com/test:latest -o yaml --dry-run > test.yml
# vim test.yml
apiVersion: v1
items:
- apiVersion: apps.openshift.io/v1
  kind: DeploymentConfig
  ...
  spec:
  ...
    template:
      spec:
        serviceAccountName: useroot
  ...
# oc create -f ./test.yml
imagestream.image.openshift.io/test created
deploymentconfig.apps.openshift.io/test created
service/test created

# oc rollout history dc/test
deploymentconfigs "test"
REVISION    STATUS      CAUSE
1       Complete    config change

# oc rsh dc/test id
uid=0(root) gid=0(root) groups=0(root)