For OKD-specific guidelines on running containers using an arbitrarily assigned user ID, see Support Arbitrary User IDs in the Creating Images guide.
OKD runs containers on hosts in the cluster, and in some cases, such
as build operations and the registry service, it does so using privileged
containers. Furthermore, those containers access the hosts' Docker daemon and
docker build and
docker push operations. As such, cluster
administrators should be aware of the inherent security risks associated with
docker run operations on arbitrary images as they effectively have
root access. This is particularly relevant for
docker build operations.
Exposure to harmful containers can be limited by assigning specific builds to nodes so that any exposure is limited to those nodes. To do this, see the Assigning Builds to Specific Nodes section of the Developer Guide. For cluster administrators, see the Configuring Global Build Defaults and Overrides section of the Installation and Configuration Guide.
You can also use security context constraints to control the actions that a pod can perform and what it has the ability to access. For instructions on how to enable images to run with USER in the Dockerfile, see Managing Security Context Constraints (requires a user with cluster-admin privileges).
For more information, see these articles: