[humbleMouse]

Well first of all OpenShift enforces that no pods can run as root. That's a pretty big deviation from vanilla Kubernetes right out of the box.

[captn3m0]

I was wondering how they enforce it.

>OpenShift runs whichever container you want with a random UUID, so unless the Docker image is prepared to work as a non-root user, it probably won't work due to permissions issues.

Source: https://engineering.bitnami.com/articles/running-non-root-co...

[smarterclayton]

It’s not quite random. Every namespace gets assigned a unique block of 10k UIDs and the default container UID is the first in the block for all unprivileged users. Granting access to a higher powered PSP (actually a security context constraint which was the basis for PSP) changes the defaulting.

[robszumski]

It's enforced with a default PodSecurityPolicy, which describes the attributes/capabilities that containers can have on the cluster.