This repository demonstrates how to run container images that require the anyuid Security Context Constraint (SCC)—such as the official Postgres image from Docker Hub—on OpenShift. It also shows how to detect these containers and associated service accounts that could allow for malicious behavior.
By default, OpenShift restricts containers from running as the root user. This example shows how to configure a namespace and service accounts to allow running a PostgreSQL container as root using the anyuid SCC. Additionally, it provides policies to detect and audit such configurations for improved security posture.
- Access to an OpenShift cluster with cluster-admin privileges.
- install Red Hat Advanced Cluster Management for Kubernetes operator
ocorkubectlCLI tools installed and configured.
First, set up Red Hat Advanced Cluster Management for Kubernetes, from the start you will not see any policies.
then run first 3 scripts to install the required Gatekeeper operator (which could be a showcase how to enforce operator existance at the clusters) and detection policies:
./01-install-gatekeeper-operator-policy.sh
./02-detect-anyuid-rolebinding-policy.sh
./03-detect-root-user-pods-policy.shafter a while you will see three new policies not reporting any violations
Next, create a new namespace and configure it to run a privileged Postgres pod:
./04-namespace.sh
./05-service-account.sh
./06-role-bindings.sh
./07-deploy-postgress.shafter some time policies start to display violations at the cluster you installed postgres on, inspect details at RHACM console
Then once you delete whole 'privileged-namespace' policy violations will be gone.
alpine-postgres/: Kubernetes manifests for the PostgreSQL deployment.role-bindings/: Role bindings for SCCs.default-service-account/: Scripts to modify the default service account instead of dedicated service account
- Running containers as root is discouraged unless absolutely necessary. Always prefer the least privilege principle.
- The provided detection policies help you audit and monitor for risky configurations, such as service accounts or pods that can run as root.
- Regularly review and update your security policies to match your organization’s compliance requirements.
- Ensure all prerequisites are met and that you have the necessary permissions.
- If policies are not being enforced or detected, verify that Gatekeeper and ACM are properly installed and running.
- Check the logs of the Gatekeeper and ACM controllers for more details.
Contributions and suggestions are welcome! Please open an issue or submit a pull request.
This repository is licensed under the MIT License.