Let me explain very clearly, so you fully understand why some images work, some don’t in OpenShift 🚀:
🎯 Big Picture: OpenShift Is Different from Vanilla Kubernetes
| Topic | Kubernetes | OpenShift |
|---|---|---|
| Can run root containers? | ✅ Allowed by default | ❌ Not allowed by default (Security!) |
| Need special non-root images? | ❌ No | ✅ Yes, or modify yourself |
| Handles normal Docker images easily? | ✅ Yes | 🟡 Sometimes extra care needed |
| Focus | Flexible | Secure by Design |
✅ OpenShift enforces Security Context Constraints (SCC)
✅ OpenShift forces containers to run non-root by default.
🛠 Why nginx-unprivileged worked but others failed?
| Image | Why it Worked / Failed |
|---|---|
nginxinc/nginx-unprivileged | ✅ Built specifically to run as non-root, listens on 8080 |
registry.redhat.io/rhscl/nginx-116-rhel7 | 🛑 It’s a S2I base image, not runnable directly |
nginx:latest (official) | 🛑 Tries to bind port 80, needs root |
bitnami/nginx | ✅ Works if you map to 8080 |
| Any random DockerHub NGINX | 🛑 Fails unless it listens >1024 and runs non-root |
📋 The 3 Problems You Face with Most Docker Images in OpenShift
| Issue | Why Happens | How to Solve |
|---|---|---|
| Image expects to run as root | OpenShift blocks root by default | Use non-root images (unprivileged) or modify Dockerfile |
| Image tries to bind port 80 | Only root can bind ports <1024 | Configure container to listen on 8080 or higher |
| Image is an S2I base (not normal app) | Meant for building apps, not direct run | Use oc new-app + --strategy=source or use proper image |
🧠 In simple words:
- Normal Kubernetes: You can pull almost any DockerHub image and it runs.
- OpenShift: You must care about non-root and correct ports, or your app won’t run.
🚀 How to Choose Images for OpenShift:
✅ Prefer images labeled as “OpenShift Ready”, “non-root”, or “unprivileged”.
✅ If using random DockerHub images:
- Make sure they don’t require root user.
- Make sure they listen on port >1024 (like 8080, 8443).
✅ For NGINX specifically:
- Use
nginxinc/nginx-unprivileged(best for OpenShift). - Or customize your own nginx Dockerfile to listen on port 8080 and remove
user nginx;line.
🔥 Quick Visual:
| Image Type | Works Directly in OpenShift? | Extra Work Needed? |
|---|---|---|
| nginxinc/nginx-unprivileged | ✅ Yes | No |
| bitnami/nginx | ✅ Mostly | Adjust port sometimes |
| nginx:latest | ❌ No | Must modify (port, user) |
| registry.redhat.io/rhscl/nginx-116-rhel7 | 🛑 Not direct | Use S2I build process |
| Your own custom Docker image | 🛑 If root | Modify to non-root |
📢 Final Cheat Sheet for You
| What to Check | Why Important |
|---|---|
| Running user (root or non-root) | OpenShift only allows random high UID (non-root) |
| Listening Port | Must be >1024 (8080, 8443, etc.) |
| Image type | Is it runnable app image or just a S2I builder base? |
| OpenShift SCCs (Security Context Constraints) | Forces strict security on containers |
✨ In one line:
In OpenShift, containers must be non-root, non-privileged, and ports >1024 — otherwise they fail!
🚀 Bonus
Would you also like me to give you:
- 📦 How to convert any Docker image into OpenShift-ready by adjusting Dockerfile?
- 🔥 Full tutorial: Best practices for building OpenShift-compliant containers?
I’m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services — all in one place.
Explore Hospitals