How-To – run a pod as root

This how-to covers what has to be done to run a pod as root

We’ll use a project sample here.

oc project sample

Create a new service account

$ oc create serviceaccount useroot 

Add service account to security context constraint anyuid

$ oc adm policy add-scc-to-user anyuid -z useroot -n sample

# oc edit scc anyuid
 
...
users:
- system:serviceaccount:sample:useroot
...

Add service account to deployment config

$ oc patch dc/myAppNeedsRoot --patch '{"spec":{"template":{"spec":{"serviceAccountName": "useroot"}}}}'
oc edit dc myAppNeedsRoot
...
    spec:
      containers:
      ...
    serviceAccount: useroot
    serviceAccountName: useroot
    ....
...
 
 

 

This enables a deployed docker container to run as any user (e.g. root). Openshift ensures that only the necessary security context constraints are used. So to have a container running as root, you also have to ensure that the container explicitly requests it – e.g. by a “User 0” directive in your Dockerfile or by forcing it by a “runAsUser 0” directive in your container’s  security context. Otherwise Openshift might decide, to choose the “restricted” security constraint anyway.