Containers created with cri-o allow non-privileged user to modify filesystem inside containers on OpenShift Container Platform.

Solution Verified - Updated -

Issue

  • OCP3.9 installed with cri-o runtime allows non-root users to modify filesystem inside containers. i.e non-root user can wipe entire filesystem of container. OCP with docker do not allow non-root user to alter container filesystem.

Environment

  • OpenShift Container Platform 3.9
  • CRI-O

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In