possible ambiguity in the host level access categories #760
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
imperialguy
added
the
kind/feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently, there are only two categories for the host level access - Unprivileged and Priviliged. This kind of categorization may be a bit obsolete, especially with the introduction of user namespaces via annotations in OpenShift (see here) and very soon to be available in Kubernetes as well (see here).
So, the concept of categorizing an image as Privileged (meaning requiring host-level privileges) just because it runs as root (inside) is a bit ambiguous coz the OpenShift/Kubernetes hosts do have the ability to launch these containers, via annotations/userns, as rootless (outside).
Describe the solution you'd like.
There's probably not an easy way for preflight to know whether a root (inside) image will be run as root (outside) or rootless (outside) via a userns on OpenShift/Kubernetes host. But, there should at least be an option to check inside the containerized application project settings in the certification workflow where the user can check an option that says these containers, even though built as root (inside) are intended to be run as rootless (outside), via a userns, on OpenShift/Kubernetes hosts.
Describe alternatives you've considered.
There is no third alternative/option available right now.
Additional context.
(Add any other context or screenshots about the feature request here.)
The text was updated successfully, but these errors were encountered: