Open the door for root users in Red Hat OpenShift (example Deployment)¶

This “blog post"/"cheat sheet” is about “Open the door for root users in OpenShift“. The topic is in context of an older blog post I wrote called Run a PostgreSQL container as a non-root user in OpenShift. Let’s look for the opposite perspective in this blog post.

If you want to get an overview of the existing Default OpenShift security context constraints visit the IBM Cloud documentation.

In this blog post, we don’t want to take advantage of the Out Of The Box provided security in Red Hat OpenShift. We are going to run a PostgreSQL container as root.

To do this, we will do the following:

  1. We will deploy a PostgreSQL container and notify that this container will not start, because by default the container is designed to run as root and that doesn’t work by default in Red Hat OpenShift.
  2. We will investigate the problem and find that the container cannot create a temporary database when the container starts.
  3. We will create a service account and we add the policy anyuid.
  4. We will add the service account to our project.
  5. Finally we will modify the existing deployment to use the service account and we “open the door for root usage” with the policy anyuid.
  6. In the last step we check the running pod.

Provide a container that uses root privileges

Step 1: Log in to the cluster as a user with cluster administrator rights

Step 2: Create a project called postgres

oc new-project postgres

Step 3: Create a yaml file for the following Deployment and s´Service definition

Here you see the Deployment and the Service to deploy a simple example postgres container.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: database-articles
  name: database-articles
  namespace: postgres
spec:
  selector:
    matchLabels:
      app: database-articles
  template:
    metadata:
      labels:
        app: database-articles
    spec:
      containers:
      - env:
        - name: POSTGRES_DB
          value: postgres
        - name: POSTGRES_USER
          value: postgres
        - name: POSTGRES_PASSWORD
          value: postgres
        - name: PGDATA
          value: /temp/data
        image: docker.io/postgres:latest
        imagePullPolicy: Always
        name: postgres
        ports:
        - containerPort: 5432
          protocol: TCP
        resources:
          limits:
            cpu: 60m
            memory: 512Mi
          requests:
            cpu: 30m
            memory: 128Mi
      restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: database-articles
  name: database-articles
  namespace: postgres
spec:
  ports:
  - name: http
    port: 5432
    protocol: TCP
  selector:
    app: database-articles

Step 4: Apply your deployment and service configuration

oc apply -f postgres-deployment.yaml

Step 5: Verify that the pod is running

oc get pod

Example output:

NAME                                 READY   STATUS             RESTARTS   AGE
database-articles-59d79c74cf-xv5j6   0/1     CrashLoopBackOff   1          10s

Step 6: Get logs of the pod

oc logs -f -p database-articles-59d79c74cf-xv5j6

Example output:

mkdir: cannot create directory ‘/temp’: Permission denied

Open the door for root usage

Step 1: Create a service account?

oc create sa postgres-sa

Example output:

serviceaccount/postgres-sa created

Step 2: Verify the created service account

oc get sa

Example output:

NAME          SECRETS   AGE
builder       2         15m
default       2         15m
deployer      2         15m
pipeline      2         15m
postgres-sa   2         47s

Step 3: Add policy add-scc-to-user anyuid to service account

oc adm policy add-scc-to-user anyuid -z postgres-sa

Example output:

clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "postgres-sa"

Step 4: Add service account and policy to project

oc adm policy add-scc-to-user anyuid -z postgres-sa -n postgres

Example output:

clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "postgres-sa"

Step 5: Get deployment

oc get deployment

Example output:

NAME                READY   UP-TO-DATE   AVAILABLE   AGE
database-articles   0/1     1            0           15m

Step 6: Add service account to deployment

oc set sa deployment database-articles postgres-sa

Example output:

deployment.apps/database-articles serviceaccount updated

Step 7: Verify that the pod is now running

oc get pod

Example output:

NAME                                 READY   STATUS        RESTARTS   AGE
database-articles-59d79c74cf-xv5j6   0/1     Terminating   8          17m
database-articles-7ff8b7656f-5rt5j   1/1     Running       0          9s

Step 8: Access to running pod

  • Access the running pod
oc exec database-articles-7ff8b7656f-5rt5j -i -t -- bash
  • Verify the temp folder contains now a data folder inside the container.
root@database-articles-56c9977c7-vstgp:/# ls
bin   docker-entrypoint-initdb.d  lib    mnt   root  srv   tmp
boot  etc                         lib64  opt   run   sys   usr
dev   home                        media  proc  sbin  temp  var
root@database-articles-56c9977c7-vstgp:/# cd temp
root@database-articles-56c9977c7-vstgp:/temp# ls
data
root@database-articles-56c9977c7-vstgp:/temp#

Here are two useful blog posts and a YouTube video:


Summary

It works pretty easily to enable root privileges for a container in OpenShift, but I would recommend using the “Out Of The Box” security provided by Red Hat OpenShift.


I hope this was useful to you and let’s see what’s next?

Greetings,

Thomas

#redhat, #openshift, #yaml, #security

One thought on “Open the door for root users in Red Hat OpenShift (example Deployment)¶

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.