If you want to use container images not found in the Red Hat Container Catalog, you can use other arbitrary container images in your OKD instance, for example those found on the Docker Hub.
For OKD-specific guidelines on running containers using an arbitrarily assigned user ID, see Support Arbitrary User IDs in the Creating Images guide.
OKD runs containers on hosts in the cluster, and in some cases, such
as build operations and the registry service, it does so using privileged
containers. Furthermore, those containers access the hosts' Docker daemon and
perform docker build
and docker push
operations. As such, cluster
administrators should be aware of the inherent security risks associated with
performing docker run
operations on arbitrary images as they effectively have
root access. This is particularly relevant for docker build
operations.
Exposure to harmful containers can be limited by assigning specific builds to nodes so that any exposure is limited to those nodes. To do this, see the Assigning Builds to Specific Nodes section of the Developer Guide. For cluster administrators, see the Configuring Global Build Defaults and Overrides section of the Installation and Configuration Guide.
You can also use security context constraints to control the actions that a pod can perform and what it has the ability to access. For instructions on how to enable images to run with USER in the Dockerfile, see Managing Security Context Constraints (requires a user with cluster-admin privileges).
For more information, see these articles: