When you deploy runtime data collectors on OpenShift 4.2 or higher, if the SCC strategy is MustRunAsRange, you must create the docker user and group ID in the range.
For more information about OpenShift SCC strategy, see Managing Security Context Constraints.
Check the SCC strategy for the namespace of the pod where you deploy runtime data collectors. For example, if the namespace is icam
, run the following command:
kubectl describe namespace icam
You can get the following output:
Name: icam
Labels: <none>
Annotations: mcm.ibm.com/accountID: id-mycluster-account
mcm.ibm.com/type: System
openshift.io/sa.scc.mcs: s0:c25,c5
openshift.io/sa.scc.supplemental-groups: 1000610000/10000
openshift.io/sa.scc.uid-range: 1000610000/10000
Status: Active
No resource quota.
No resource limits.
USER root
RUN groupadd -g 1000610000 appgrp && useradd -l -r -d /home/appuser -u 1000610000 -g appgrp appuser && chown -R appuser:appgrp /opt/ibm && chown -R appuser:appgrp /logs
USER appuser
Note: Add -l to not add the user to the lastlog
and faillog
databases. Otherwise, docker image build hangs. See the Git issue for
details.securityContext:
runAsUser: 1000610000
runAsGroup: 1000610000