To enable the custom pod builder to run as an unprivileged pod, the easiest way to accomplish that is by adding a ClusterRoleBinding that allows the machine-os-builder service account to create a pod with the specified user ID (1000), which it currently cannot do. We want this to run with as few privileges as possible to mitigate any security concerns caused by building an image.

Here's an example manifest which will have the desired effect:

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: machine-os-builder-anyuid
roleRef:
  name: "system:openshift:scc:anyuid"
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
subjects:
  - name: machine-os-builder
    kind: ServiceAccount
    namespace: "{{.TargetNamespace}}"

Note: This manifest must be in a file by itself since the code which reads it in assumes that only a single manifest exists per file.

Done When:

• The MCO configures this ClusterRoleBinding for the machine-os-builder service account that it creates.