UBI8 openjdk image & security context
I have a customized container image based on registry.access.redhat.com/ubi8/openjdk-11
This container is used to run a java app, and runs under:
uid=185(jboss) gid=0(root) groups=0(root),185(jboss)
In openshift 4.8.21 by default the restricted scc is used, and the container will not initialize if there are no additional role bindings/modifications to scc, or pod spec changes to securitycontext, reporting
create Pod egeria-base-platform-0 in StatefulSet egeria-base-platform failed error: pods "egeria-base-platform-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted: .spec.securityContext.fsGroup: Invalid value: []int64{0}: 0 is not an allowed group, provider "ibm-restricted-scc": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-scc": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-hostpath-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "ibm-anyuid-hostaccess-scc": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "ibm-privileged-scc": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
I would have hoped that the UBI image would run ok under the restricted scc. The main error here seems to be with the group, 0
I've previously fixed this locally by editing the restricted scc in my test environment- but this is not a good idea! (upgrades...)
I can of course create an appropriate service account, and role, role binding to use another scc - either custom or perhaps anyuid.
What is best practice though? My podspec comes from a helm chart I've developed, which I am trying to keep generic across openshift and other platforms - at least for defaults.
- Is it reasonable to expect UBI-8 to work with restricted out of the box?
- Without getting into openshift specifics ( I suppose an annotation is ok...) what is best practice to include in my security context when using a UBI image?
