Let me explain very clearly, so you fully understand why some images work, some donβt in OpenShift :
Big Picture: OpenShift Is Different from Vanilla Kubernetes
Topic | Kubernetes | OpenShift |
---|---|---|
Can run root containers? | ||
Need special non-root images? | ||
Handles normal Docker images easily? | ||
Focus | Flexible | Secure by Design |
OpenShift enforces Security Context Constraints (SCC)
OpenShift forces containers to run non-root by default.
Why nginx-unprivileged worked but others failed?
Image | Why it Worked / Failed |
---|---|
nginxinc/nginx-unprivileged | |
registry.redhat.io/rhscl/nginx-116-rhel7 | |
nginx:latest (official) | |
bitnami/nginx | |
Any random DockerHub NGINX |
The 3 Problems You Face with Most Docker Images in OpenShift
Issue | Why Happens | How to Solve |
---|---|---|
Image expects to run as root | OpenShift blocks root by default | Use non-root images (unprivileged ) or modify Dockerfile |
Image tries to bind port 80 | Only root can bind ports <1024 | Configure container to listen on 8080 or higher |
Image is an S2I base (not normal app) | Meant for building apps, not direct run | Use oc new-app + --strategy=source or use proper image |
In simple words:
- Normal Kubernetes: You can pull almost any DockerHub image and it runs.
- OpenShift: You must care about non-root and correct ports, or your app wonβt run.
How to Choose Images for OpenShift:
Prefer images labeled as βOpenShift Readyβ, βnon-rootβ, or βunprivilegedβ.
If using random DockerHub images:
- Make sure they donβt require root user.
- Make sure they listen on port >1024 (like 8080, 8443).
For NGINX specifically:
- Use
nginxinc/nginx-unprivileged
(best for OpenShift). - Or customize your own nginx Dockerfile to listen on port 8080 and remove
user nginx;
line.
Quick Visual:
Image Type | Works Directly in OpenShift? | Extra Work Needed? |
---|---|---|
nginxinc/nginx-unprivileged | No | |
bitnami/nginx | Adjust port sometimes | |
nginx:latest | Must modify (port, user) | |
registry.redhat.io/rhscl/nginx-116-rhel7 | Use S2I build process | |
Your own custom Docker image | Modify to non-root |
Final Cheat Sheet for You
What to Check | Why Important |
---|---|
Running user (root or non-root) | OpenShift only allows random high UID (non-root) |
Listening Port | Must be >1024 (8080, 8443, etc.) |
Image type | Is it runnable app image or just a S2I builder base? |
OpenShift SCCs (Security Context Constraints) | Forces strict security on containers |
In one line:
In OpenShift, containers must be non-root, non-privileged, and ports >1024 β otherwise they fail!
Bonus
Would you also like me to give you:
How to convert any Docker image into OpenShift-ready by adjusting Dockerfile?
Full tutorial: Best practices for building OpenShift-compliant containers?
Iβm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I am working at Cotocus. I blog tech insights at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at I reviewed , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at PINTEREST
Rajesh Kumar at QUORA
Rajesh Kumar at WIZBRAND