openshift-docs/modules/storage-persistent-storage-nfs-user-ids.adoc

// Module included in the following assemblies:
//
// * storage/persistent_storage/persistent-storage-nfs.aodc

:_mod-docs-content-type: REFERENCE
[id="nfs-user-id_{context}"]
= User IDs

User IDs can be defined in the container image or in the `Pod` definition.

[NOTE]
====
It is generally preferable to use supplemental group IDs to gain access to
persistent storage versus using user IDs.
====

In the example target NFS directory shown above, the container
needs its UID set to `65534`, ignoring group IDs for the moment, so the
following can be added to the `Pod` definition:

[source,yaml]
----
spec:
  containers: <1>
  - name:
  ...
    securityContext:
      runAsUser: 65534 <2>
----
<1> Pods contain a `securityContext` definition specific to each container and
a pod's `securityContext` which applies to all containers defined in
the pod.
<2> `65534` is the `nfsnobody` user.

Assuming that the project is `default` and the SCC is `restricted`, the user ID of `65534` as requested by the pod is not allowed. Therefore, the pod fails for the following reasons:

* It requests `65534` as its user ID.
* All SCCs available to the pod are examined to see which SCC allows a
user ID of `65534`. While all policies of the SCCs are checked, the focus
here is on user ID.
* Because all available SCCs use `MustRunAsRange` for their `runAsUser`
strategy, UID range checking is required.
* `65534` is not included in the SCC or project's user ID range.

It is generally considered a good practice not to modify the predefined
SCCs. The preferred way to fix this situation is to create a custom SCC
A custom SCC can be created such that minimum and maximum user IDs
are defined, UID range checking is still enforced, and the UID of `65534`
 is allowed.

[NOTE]
====
To use a custom SCC, you must first add it to the appropriate service
account. For example, use the `default` service account in the given project
unless another has been specified on the `Pod` specification.
====