Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-77039

Encourage use of SCCs instead of namespace annotations to overwrite UIDs/GIDs for Linux user namespaces

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.20.z, 4.21.z, 4.22
    • Documentation / Node
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Docs [1] list steps to overwrite namespace annotations which define to-be-used UIDs/GIDs:

> Edit the default user ID (UID) and group ID (GID) range

This poses multiple problems/risks:

- Containers not supposed to be run in Linux user namespaces run in the defined UID range anyway
- Predefining `openshift.io/sa.*` annotations leads to unusable namespaces (see https://issues.redhat.com/browse/OCPBUGS-74643), so not really GitOps-friendly

[1]: https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/nodes/working-with-pods#nodes-pods-user-namespaces-configuring_nodes-pods-user-namespaces

      Additional info:

              mburke@redhat.com Michael Burke
              rh-ee-baffolte Benjamin Affolter
              Min Li Min Li
              Peter Hunt
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: