OpenShift - Add a Security Context Constraint to a User or Group or Service Account

A Security Context Constraint is used to control certain things that a deployment or pod is allowed or not allowed to do, such as mounting a host volume.

oc get serviceaccounts can be used to list the Service Accounts that have been created in the current project.

~]$ oc get serviceaccounts
NAME                  SECRETS   AGE
default               2         388d
my-servie-account     2         112s

 

oc get securitycontextconstraints can be used to list the Security Context Constraints.

~]$ oc get securitycontextconstraints
NAME                              PRIV    CAPS         SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY     READONLYROOTFS   VOLUMES
anyuid                            false   <no value>   MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
hostaccess                        false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","persistentVolumeClaim","projected","secret"]
hostmount-anyuid                  false   <no value>   MustRunAs   RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","nfs","persistentVolumeClaim","projected","secret"]
hostnetwork                       false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
nonroot                           false   <no value>   MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
privileged                        true    ["*"]        RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["*"]
restricted                        false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]

 

  • anyuid - Same as the "restricted" Security Context Constraint but allows a pod to be run by any UID or GID.
  • hostaccess - Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
  • hostmount-anyuid - Same as the "restricted" Security Context Constraint but allows host mounts and running as any UID and any GID on the system.
  • hostnetwork - Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
  • nonroot - Same as the "restricted" Security Context Constraint but allows users to run with any non-root UID. The user must specify the UID or it must be specified in the manifest of the container runtime.
  • privileged - Allows:
    • Users to run privileged pods
    • Pods to mount host directories as volumes
    • Pods to run as any user
    • Pods to run with any MCS label
    • Pods to use the host’s IPC namespace
    • Pods to use the host’s PID namespace
    • Pods to use any FSGroup
    • Pods to use any supplemental group
    • Pods to use any seccomp profiles
    • Pods to request any capabilities
  • restricted - Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.

oc adm policy add-scc-to-user can be used to add a Security Context Constraint to a User Account

~]$ oc adm policy add-scc-to-user restricted john.doe
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "john.doe"

 

Or to a Group

~]$ oc adm policy add-scc-to-group restricted my-group
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "my-group"

 

Or to a Service Account

~]$ oc adm policy add-scc-to-user restricted -z my-service-account
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "my-service-account"

 

oc describe securitycontextconstraint can be used to list the User Accounts and Groups that have the Security Context Constraint. However, this output will not show the Service Accounts, which makes this a bit of an unreliable command.

~]$ oc describe scc restricted
Name:                                           restricted
Priority:                                       <none>
Access:
  Users:                                        john.doe
  Groups:                                       my-group

 

Once a Security Context Constraint (SCC) has been applied to a User, Group or Service Account, the Security Context Constraint will appear in the list of Cluster Role Bindings.

~]$ oc get clusterrolebindings | grep scc
NAME                               ROLE                                             AGE
system:openshift:scc:restricted    ClusterRole/system:openshift:scc:restricted      411s

 

oc describe clusterrolebindings can then be used to list the Users, Groups and Service Accounts that have the Security Context Constraint.

~]$ oc describe clusterrolebindings system:openshift:scc:restricted
Name:         system:openshift:scc:restricted
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:openshift:scc:restricted
Subjects:
  Kind            Name                Namespace
  ----            ----                ---------
  User            john.doe            my-project
  Group           my-group            my-project
  ServiceAccount  my-service-account  my-project

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter b173c in the box below so that we can be sure you are a human.