Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2868

Add Security Context Constraint taylored to running Podman and Skopeo in a Pod


    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • Node
    • False
    • None
    • False
    • Not Selected

      With more and more stuff being containerized, people want to inspect / run containers in a Pod, without needing a privileged Pod.

      Currently this knowledge is in blog posts like https://www.redhat.com/sysadmin/podman-inside-kubernetes
      However understanding the implications of the changes needed (Seccomp profile, dropping SeLinux confinement) is not trivial, and having a ready to use SCC for this purpose would help OpenShift users much.

      Such a `nested` SCC should be based on the `restricted` SCC and allows the minimum permissions to run podman/buildah inside pods.
      Needed permissions would include (to be verified):

            gausingh@redhat.com Gaurav Singh
            rhn-support-ekasprzy Emmanuel Kasprzyk
            0 Vote for this issue
            15 Start watching this issue