Builds in OpenShift Container Platform are run in privileged containers. Depending on the
build strategy used, this allows a user who can run builds to escalate their
permissions on the cluster and host nodes. As a security measure, limit who can
run builds and the strategy that is used for those builds. Custom builds are
inherently less safe than Source builds, because they can execute any code
within a privileged container, and are disabled by default. Grant Docker build
permissions with caution, because a vulnerability in the Dockerfile processing
logic could result in a privileges being granted on the host node.
By default, all users that can create builds are granted permission to use the
Docker and Source-to-Image (s2i) build strategies. Users with cluster-admin
privileges can enable the Custom build strategy, as referenced in the
restricting build strategies to a user globally section.
You can control who can build and which build strategies they can use by using
an authorization policy. Each build strategy has a corresponding build
subresource. A user must have permission to create a build and permission to
create on the build strategy subresource in order to create builds using that
strategy. Default roles are provided which grant the create permission on the
build strategy subresource.
Table 1. Build Strategy Subresources and Roles
Strategy |
Subresource |
Role |
Docker |
builds/docker |
system:build-strategy-docker |
Source-to-Image |
builds/source |
system:build-strategy-source |
Custom |
builds/custom |
system:build-strategy-custom |
JenkinsPipeline |
builds/jenkinspipeline |
system:build-strategy-jenkinspipeline |