Container Users and Security

Regular User create pods

OCP ignore the USER instruction in container image.
Instead, OCP assign GUID 0 instead and is run as unprivileged user
This meant that container user is always in root group

Cluster Admin create pods

OCP recognise the USER instructions in container image
Thus, if USER is set to 0 (root), container will have unrestricted access to host file system
Best Practice: Run as rootless container or unprivileged user with only the required permission to access necessary container files

RedHat Best Practice

Run containers from different applications with unique USER
If using same USER, USER in 1 container might be able to access the files on the 2nd container.

Connected Pages

Depth

On this page

Pages mentioning this page

No other pages mentions this page