A Security Context Constraint is used to control certain things that a pod is or is not allowed to do, such as running a pod as root.

oc get serviceaccounts can be used to list the Service Accounts that have been created in the current project.

~]$ oc get serviceaccounts
NAME                  SECRETS   AGE
default               2         388d
my-servie-account     2         112s

oc get securitycontextconstraints can be used to list the Security Context Constraints.

~]$ oc get securitycontextconstraints
NAME                              PRIV    CAPS         SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY     READONLYROOTFS   VOLUMES
anyuid                            false   <no value>   MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
hostaccess                        false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","persistentVolumeClaim","projected","secret"]
hostmount-anyuid                  false   <no value>   MustRunAs   RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","nfs","persistentVolumeClaim","projected","secret"]
hostnetwork                       false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
nonroot                           false   <no value>   MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
privileged                        true    ["*"]        RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["*"]
restricted                        false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]

• anyuid - Same as the "restricted" Security Context Constraint but allows a pod to be run by any UID or GID.
• hostaccess - Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
• hostmount-anyuid - Same as the "restricted" Security Context Constraint but allows host mounts and running as any UID and any GID on the system.
• hostnetwork - Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
• nonroot - Same as the "restricted" Security Context Constraint but allows users to run with any non-root UID. The user must specify the UID or it must be specified in the manifest of the container runtime.
• privileged - Allows:
  • Users to run privileged pods
  • Pods to mount host directories as volumes
  • Pods to run as any user
  • Pods to run with any MCS label
  • Pods to use the host’s IPC namespace
  • Pods to use the host’s PID namespace
  • Pods to use any FSGroup
  • Pods to use any supplemental group
  • Pods to use any seccomp profiles
  • Pods to request any capabilities
• restricted - Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.
  • Pods cannot run as privileged
  • Pods cannot mount host directory volumes (see Mount a local directory in a deployment and hostPath volumes are not allowed to be used)
  • Requires that a pod is run as a user in a pre-allocated range of UIDs
  • Requires that a pod is run with a pre-allocated MCS label
  • Allows pods to use any FSGroup
  • Allows pods to use any supplemental group

oc adm policy add-scc-to-user can be used to add a Security Context Constraint to a User Account. 

~]$ oc adm policy add-scc-to-user restricted john.doe
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "john.doe"

Or to a Group. 

~]$ oc adm policy add-scc-to-group restricted my-group
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "my-group"

Or to a Service Account. 

~]$ oc adm policy add-scc-to-user restricted -z my-service-account
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "my-service-account"

oc describe securitycontextconstraint can be used to list the User Accounts and Groups that have the Security Context Constraint. However, this output will not show the Service Accounts, which makes this a bit of an unreliable command.

~]$ oc describe scc restricted
Name:                                           restricted
Priority:                                       <none>
Access:
  Users:                                        john.doe
  Groups:                                       my-group

Once a Security Context Constraint (SCC) has been applied to a User, Group or Service Account, the Security Context Constraint will appear in the list of Cluster Role Bindings.

~]$ oc get clusterrolebindings | grep scc
NAME                               ROLE                                             AGE
system:openshift:scc:restricted    ClusterRole/system:openshift:scc:restricted      411s

oc describe clusterrolebindings can then be used to list the Users, Groups and Service Accounts that have the Security Context Constraint.

~]$ oc describe clusterrolebindings system:openshift:scc:restricted
Name:         system:openshift:scc:restricted
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:openshift:scc:restricted
Subjects:
  Kind            Name                Namespace
  ----            ----                ---------
  User            john.doe            my-project
  Group           my-group            my-project
  ServiceAccount  my-service-account  my-project