The system accounts within a container SHOULD not have permissions on the host system.
With OpenShift, accounts within the container are separated from the host system by SELinux. This includes preventing the use of privileged user and group IDs as well as corresponding rights extensions (SET-UID, Set-GID bit). A range of UIDs/GIDs is provided for use in containers.
Where this authorization is necessary for operational reasons, it SHOULD only apply to absolutely necessary data and system access.
Security Context Constraints (SCCs) allow accounts in the container to gain controlled access.
The account in the container that is necessary for this data exchange SHOULD be known in the host system.
The host system Red Hat CoreOS is immutable. The changes to the host operating system should only be made by OpenShift and should be necessary so that hardening by Red Hat is not inadvertently undermined.
Since, in contrast to an unprotected container runtime environment, SELinux enforces the separation between the container runtime and the operating system, this mirroring of account names is not necessary.
sluetze
commented
1 month ago