Let me explain very clearly, so you fully understand why some images work, some don’t in OpenShift š:
šÆ Big Picture: OpenShift Is Different from Vanilla Kubernetes
| Topic | Kubernetes | OpenShift |
|---|---|---|
| Can run root containers? | ā Allowed by default | ā Not allowed by default (Security!) |
| Need special non-root images? | ā No | ā Yes, or modify yourself |
| Handles normal Docker images easily? | ā Yes | š” Sometimes extra care needed |
| Focus | Flexible | Secure by Design |
ā
OpenShift enforces Security Context Constraints (SCC)
ā
OpenShift forces containers to run non-root by default.
š Why nginx-unprivileged worked but others failed?
| Image | Why it Worked / Failed |
|---|---|
nginxinc/nginx-unprivileged | ā Built specifically to run as non-root, listens on 8080 |
registry.redhat.io/rhscl/nginx-116-rhel7 | š It’s a S2I base image, not runnable directly |
nginx:latest (official) | š Tries to bind port 80, needs root |
bitnami/nginx | ā Works if you map to 8080 |
| Any random DockerHub NGINX | š Fails unless it listens >1024 and runs non-root |
š The 3 Problems You Face with Most Docker Images in OpenShift
| Issue | Why Happens | How to Solve |
|---|---|---|
| Image expects to run as root | OpenShift blocks root by default | Use non-root images (unprivileged) or modify Dockerfile |
| Image tries to bind port 80 | Only root can bind ports <1024 | Configure container to listen on 8080 or higher |
| Image is an S2I base (not normal app) | Meant for building apps, not direct run | Use oc new-app + --strategy=source or use proper image |
š§ In simple words:
- Normal Kubernetes: You can pull almost any DockerHub image and it runs.
- OpenShift: You must care about non-root and correct ports, or your app won’t run.
š How to Choose Images for OpenShift:
ā
Prefer images labeled as “OpenShift Ready”, “non-root”, or “unprivileged”.
ā
If using random DockerHub images:
- Make sure they don’t require root user.
- Make sure they listen on port >1024 (like 8080, 8443).
ā For NGINX specifically:
- Use
nginxinc/nginx-unprivileged(best for OpenShift). - Or customize your own nginx Dockerfile to listen on port 8080 and remove
user nginx;line.
š„ Quick Visual:
| Image Type | Works Directly in OpenShift? | Extra Work Needed? |
|---|---|---|
| nginxinc/nginx-unprivileged | ā Yes | No |
| bitnami/nginx | ā Mostly | Adjust port sometimes |
| nginx:latest | ā No | Must modify (port, user) |
| registry.redhat.io/rhscl/nginx-116-rhel7 | š Not direct | Use S2I build process |
| Your own custom Docker image | š If root | Modify to non-root |
š¢ Final Cheat Sheet for You
| What to Check | Why Important |
|---|---|
| Running user (root or non-root) | OpenShift only allows random high UID (non-root) |
| Listening Port | Must be >1024 (8080, 8443, etc.) |
| Image type | Is it runnable app image or just a S2I builder base? |
| OpenShift SCCs (Security Context Constraints) | Forces strict security on containers |
āØ In one line:
In OpenShift, containers must be non-root, non-privileged, and ports >1024 ā otherwise they fail!
š Bonus
Would you also like me to give you:
- š¦ How to convert any Docker image into OpenShift-ready by adjusting Dockerfile?
- š„ Full tutorial: Best practices for building OpenShift-compliant containers?
Iām a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
