Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Openshift Deployment

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Openshift Deployment

Chronological Thread 
  • From: Oliver Trieu <>
  • To: Darren Boss <>, Scott Koranda <>
  • Cc:
  • Subject: Re: [grouper-users] Openshift Deployment
  • Date: Mon, 27 Apr 2020 12:10:46 +0200

Dear Darren,

could you elaborate on what kind or problems you expect with runAsUser in a Pod?

I am currently running our test instance of grouper 2.4 on Openshift and so far i did not encounter issue.

Is there an easy way to specifically test for this?

Kind Regards


On 22.04.20 16:31, Darren Boss wrote:
That may not be good enough for the Openshift case but since I haven't used Openshift I can't say for sure.

I'm not sure about dropping privileges. It seems like a step in the right direction but I'm not sure what happens when combined with specifying security contexts in the pod (runAsUser). I'd be willing to do a bit of digging or run some tests on a test cluster if that was of interest.

I'm still ramping up my knowledge on the security side of running services under Kubernetes.

On Wed, Apr 22, 2020 at 9:50 AM Scott Koranda <> wrote:

Just a clarifying question...

Would you find it acceptable for the container to start running as root
and then drop privileges later to a non-privileged user, or is your
requirement that the container never need any root privileges at all?

Asking for a friend...


Scott K

> Even if not running under Openshift and just upstream Kubernetes, please
> retool the Docker images to not run as root (this applies to the other TAP
> images as well).
> Containers are not vms and unless you are running with uid
> translation/mapping in place, the grouper process would be running at root
> on the system as well. From what I've read, running within a user namespace
> and remapping uids can impart a performance penalty.
> On Wed, Apr 22, 2020 at 3:22 AM Oliver Trieu <>
> wrote:
> > Dear Grouper Team,
> >
> >
> > I think its great that Grouper is now running on containers.
> >
> > This is definitely a step in the right direction.
> >
> > I was wondering if you could prepare your Container Image to run on the
> > Openshift Platform.
> >
> > The issue here is that the current Image wants to run as the root user.
> >
> > It would be great if you could run it as an unpriviledged user.
> >
> >
> > Is it possible to obtaiin the Dockerfiles you used to create the images?
> >
> >
> > Kind Regards
> >
> >
> > Oliver
> >
> >
> >
> >
> >
> --
> Darren Boss
> Senior Programmer/Analyst
> Programmeur-analyste principal

Darren Boss
Senior Programmer/Analyst
Programmeur-analyste principal

Archive powered by MHonArc 2.6.19.

Top of Page