Prologue
ap4k is a collection of java annotations and processors for generating, customizing and testing kubernetes and openshift manifests.
The idea of using java annotations for customizing kubernetes and openshift manifests is not something entirely new. In 2015 fabric8 provided an artifact called `kubernetes-generator` (not to be confused with other generators under the fabric8 umbrella) that allowed developers to hook into the compilation process code that customized these manifests. The way the code was hooked into the compilation processors was via java annotations. The idea was nice but did required developers to write actual code, and thus was soon abandoned as in favor of the fabric8-maven-plugin which was rewritten at the same time by Rolland Huss.
intro
openshift takes security seriously. Sometimes more seriously than I’d like (mostly cause I am lazy). One such example is the fact that containers run using arbitrary users. This is done as an extra measure to control damages, should a process somehow escapes its container boundaries.
But how does it affect users?
the problem
Users need to follow certain guidelines when creating container images.
don’t assume a user
you don’t have a known uid The uid of the user is not known in advnace. Also there is no way of controlling it.
openshift CreatedFri, 29 Sep 2017 00:00:00 +0300