Hacker News new | ask | show | jobs
by BossingAround 2172 days ago
> If you want to use standard tools it’d be nice to have a managed standard Kubernetes option

What standard tool doesn't work on OpenShift? It's certified to have 100% compatibility with Kubernetes, it just adds stuff, doesn't it?
2 comments
acdha 2172 days ago
I think there are some things which are either disabled or complicated by policy, not to mention the lag between Kubernetes updates shipping and OpenShift updating, but I was more going at the angle of paying for things you're not using. OpenShift's license costs are enough that you really have to justify it based on those services. The people I know who've avoided it did so because they couldn't justify the price when they mostly wanted Kubernetes but their teams had no interest in going away from their current build tools.
link
ofrzeta 2172 days ago
It takes away privileges which arguably is a good thing but some things that require root containers wont't run. They pass the Kubernetes conformance suite only by removing those constraints.
link
candiddevmike 2172 days ago
That's not true at all. You can read their CNCF results yourself, nothing is disabled. And the conformance tooling works around these constraints by defining their own PSPs.
link
ofrzeta 2172 days ago
It would help if you provided a link to the CNCF results.

From what I see in https://github.com/openshift/origin/blob/master/test/extende... there are additional policies granted (search for "Disable container security").

link
smarterclayton 2172 days ago
Yes, to run tests that root your whole cluster, the test running for conformance grants “root your cluster” permissions.

I occasionally regret the defaults we picked because people get frustrated that random software off the internet doesn’t run.

That said, every severe (or almost every) container runtime vulnerability in the last five years has not applied to a default pod running on OpenShift, so there’s at least some comfort there.

To grant “run as uid 0” is a one line RBAC as assignment. To grant “run as uid 0 and access host” is a similar statement.

https://github.com/openshift/origin/blob/master/test/extende...

link
BossingAround 2172 days ago
And you can do the same for your environment. You can run root containers on OpenShift, it's a settings, not a baked-in compiled choice or something similar.
link
ofrzeta 2172 days ago
That is true. It's a tradeoff when you consider to turn off SELinux, too, however.
link