I have an SCC defined that lets the developer user run containers as UID 1015:
kind: SecurityContextConstraints
apiVersion: v1
metadata:
name: developer
allowPrivilegedContainer: false
runAsUser:
type: MustRunAs
uid: 1015
seLinuxContext:
type: MustRunAs
uid: 1015
users:
- developerThis SCC works fine when I create a pod directly as the developer user:
apiVersion: v1
kind: Pod
metadata:
name: test-1-0
spec:
securityContext:
runAsUser: 1015
containers:
- name: test-1-0
image: test-image:1.0
imagePullPolicy: "Always"
volumeMounts:
- name: secret-dir
mountPath: "/secrets"
readOnly: true
volumes:
- name: secret-dir
secret:
secretName: test-1.0-configsHowever, when I transition this to a deployment, I get an error. Here's my YAML:
kind: "DeploymentConfig"
apiVersion: "v1"
metadata:
name: "test-1-0"
spec:
template:
metadata:
labels:
name: "test-1-0"
spec:
securityContext:
runAsUser: 1015
containers:
- name: test-1-0
image: test-image:1.0
imagePullPolicy: "Always"
volumeMounts:
- name: secret-dir
mountPath: "/secrets"
readOnly: true
volumes:
- name: secret-dir
secret:
secretName: test-1.0-configs
replicas: 2
selector:
name: "test-1-0"And the error I receive:
Error creating: pods "test-1-0-1-" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 1015: UID on container test-1-0 does not match required range. Found 1015, required min: 1000050000 max: 1000059999]It's as if the deployment is deploying pods NOT as the user I created the deployment with. Is there any way to resolve that?
It is probably better to dictate what SCC is to be used for the deployment via a service account.
First off create the SCC. Using what I have tested as an example, I created uid1000.json containing.
{
"apiVersion": "v1",
"kind": "SecurityContextConstraints",
"metadata": {
"name": "uid1000"
},
"requiredDropCapabilities": [
"KILL",
"MKNOD",
"SYS_CHROOT",
"SETUID",
"SETGID"
],
"runAsUser": {
"type": "MustRunAs",
"uid": "1000"
},
"seLinuxContext": {
"type": "MustRunAs"
},
"fsGroup": {
"type": "MustRunAs"
},
"supplementalGroups": {
"type": "RunAsAny"
},
"volumes": [
"configMap",
"downwardAPI",
"emptyDir",
"persistentVolumeClaim",
"projected",
"secret"
]
}
Then ran:
oc create -f uid1000.json --as system:adminNeed to be admin to do that.
Next I created a service account in the target project just for running the application which needs this SCC.
oc create serviceaccount runasuid1000I now say that anything run as this service account should use the new SCC.
oc adm policy add-scc-to-user uid1000 -z runasuid1000 --as system:adminAgain need to be admin to do that. The -z option means use current project, so make sure you are in the right one.
Finally I patch the existing deployment config.
oc patch dc/minimal-notebook --patch '{"spec":{"template":{"spec":{"serviceAccountName": "runasuid1000"}}}}'If necessary, due to config change trigger being disabled, trigger a new deployment:
oc rollout latest minimal-notebookThis will force the container to run as uid 1000, overriding what the image even says it should run as according to USER definition.