undefined | Better HN

0 pointscandiddevmike5y ago0 comments

That's not true at all. You can read their CNCF results yourself, nothing is disabled. And the conformance tooling works around these constraints by defining their own PSPs.

0 comments

ofrzeta5y ago

It would help if you provided a link to the CNCF results.

From what I see in https://github.com/openshift/origin/blob/master/test/extende... there are additional policies granted (search for "Disable container security").

smarterclayton5y ago

Yes, to run tests that root your whole cluster, the test running for conformance grants “root your cluster” permissions.

I occasionally regret the defaults we picked because people get frustrated that random software off the internet doesn’t run.

That said, every severe (or almost every) container runtime vulnerability in the last five years has not applied to a default pod running on OpenShift, so there’s at least some comfort there.

To grant “run as uid 0” is a one line RBAC as assignment. To grant “run as uid 0 and access host” is a similar statement.

https://github.com/openshift/origin/blob/master/test/extende...

j / k navigate · click thread line to collapse