OpenShift - Resolve "unable to validate against any security context constraint"
by
Jeremy Canfield |
Updated: March 15 2023
| OpenShift articles
Let's say something like this is being returned when attempting to deploy an app to a namespace. The "providers" are the Security Context Contraints.
Error creating: pods "my-deployment-" is forbidden:
unable to validate against any security context constraint: [
Forbidden: not usable by user or serviceaccount, provider "anyuid"
Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid"
Forbidden: not usable by user or serviceaccount, provider "hostnetwork"
Forbidden: not usable by user or serviceaccount, provider "hostaccess"
Forbidden: not usable by user or serviceaccount, provider "nonroot"
Forbidden: not usable by user or serviceaccount, provider "privileged"
Forbidden: not usable by user or serviceaccount, provider "restricted"
]
The oc get deployments command with the --output yaml or --output json option can be used to determine if the deployment is associated with a Service Account.
~]# oc get deployment my-app --output yaml --namespace my-project
spec:
template:
spec:
serviceAccount: default
serviceAccountName: default
The oc adm policy scc-subject-review command can be used list the Security Context Contraints that are allowed by a deployment.
~]# oc get deployment my-app --output yaml --namespace my-project | oc adm policy scc-subject-review --filename -
RESOURCE ALLOWED BY
Deployment/my-app hostmount-anyuid
In this example, the "default" Service Account would need the hostmount-anyuid Security Context Contraint. The oc adm policy add-scc-to-user command can be used to add a Security Context Contraint to a User or Service Account.
~]$ oc adm policy add-scc-to-user hostmount-anyuid -z default --namespace my-project
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:hostmount-anyuid added: "default"
Or this could be done with a User Account.
~]$ oc adm policy add-scc-to-user restricted john.doe --namespace my-project
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "john.doe"
Or a Group.
~]$ oc adm policy add-scc-to-group restricted my-group --namespace my-project
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "my-group"
The oc describe clusterrolebindings command can then be used to list the User Accounts and Service Accounts that have the Security Context Contraint.
~]$ oc describe rolebindings system:openshift:scc:hostmount-anyuid --namespace my-project
Name: system:openshift:scc:hostmount-anyuid
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: system:openshift:scc:hostmount-anyuid
Subjects:
Kind Name Namespace
---- ---- ---------
ServiceAccount default my-project
The oc get securitycontextcontraints (or oc get scc) command can be used to list the Security Context Contraints.
~]$ oc get securitycontextconstraints
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
anyuid false <no value> MustRunAs RunAsAny RunAsAny RunAsAny 10 false ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
hostaccess false <no value> MustRunAs MustRunAsRange MustRunAs RunAsAny <no value> false ["configMap","downwardAPI","emptyDir","hostPath","persistentVolumeClaim","projected","secret"]
hostmount-anyuid false <no value> MustRunAs RunAsAny RunAsAny RunAsAny <no value> false ["configMap","downwardAPI","emptyDir","hostPath","nfs","persistentVolumeClaim","projected","secret"]
hostnetwork false <no value> MustRunAs MustRunAsRange MustRunAs MustRunAs <no value> false ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
nonroot false <no value> MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <no value> false ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
privileged true ["*"] RunAsAny RunAsAny RunAsAny RunAsAny <no value> false ["*"]
restricted false <no value> MustRunAs MustRunAsRange MustRunAs RunAsAny <no value> false ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
- anyuid - Same as the "restricted" Security Context Contraint but allows a pod to be run by any UID or GID.
- hostaccess - Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
- hostmount-anyuid - Same as the "restricted" Security Context Contraint but allows host mounts and running as any UID and any GID on the system.
- hostnetwork - Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
- nonroot - Same as the "restricted" Security Context Contraint but allows users to run with any non-root UID. The user must specify the UID or it must be specified in the manifest of the container runtime.
- privileged - Allows:
- Users to run privileged pods
- Pods to mount host directories as volumes
- Pods to run as any user
- Pods to run with any MCS label
- Pods to use the host’s IPC namespace
- Pods to use the host’s PID namespace
- Pods to use any FSGroup
- Pods to use any supplemental group
- Pods to use any seccomp profiles
- Pods to request any capabilities
- restricted - Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.
- Ensures that pods cannot run as privileged
- Ensures that pods cannot mount host directory volumes
- Requires that a pod is run as a user in a pre-allocated range of UIDs
- Requires that a pod is run with a pre-allocated MCS label
- Allows pods to use any FSGroup
- Allows pods to use any supplemental group
Did you find this article helpful?
If so, consider buying me a coffee over at 