OpenShift - Resolve "unable to validate against any security context constraint"

Let's say something like this is being returned when attempting to deploy an app to a project / namespace. The "providers" are the Security Context Contraints.

Error creating: pods "my-deployment-" is forbidden: 
unable to validate against any security context constraint: [
 Forbidden: not usable by user or serviceaccount, provider "anyuid"
 Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid"
 Forbidden: not usable by user or serviceaccount, provider "hostnetwork"
 Forbidden: not usable by user or serviceaccount, provider "hostaccess"
 Forbidden: not usable by user or serviceaccount, provider "nonroot"
 Forbidden: not usable by user or serviceaccount, provider "privileged"
 Forbidden: not usable by user or serviceaccount, provider "restricted"
]

 

The oc get deployments command with the --output yaml or --output json option can be used to determine if the deployment is associated with a Service Account.

~]# oc get deployment my-app --output yaml
spec:
  template:
    spec:
      serviceAccount: default
      serviceAccountName: default

 

The oc adm policy scc-subject-review command can be used list the Security Context Contraints that are allowed by a deployment.

~]# oc get deployment my-app --output yaml | oc adm policy scc-subject-review --filename -
RESOURCE            ALLOWED BY         
Deployment/my-app   hostmount-anyuid

 

In this example, the "default" Service Account would need the hostmount-anyuid Security Context Contraint. The oc adm policy add-scc-to-user command can be used to add a Security Context Contraint to a User or Service Account.

~]$ oc adm policy add-scc-to-user hostmount-anyuid -z default
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:hostmount-anyuid added: "default"

 

Or this could be done with a User Account.

~]$ oc adm policy add-scc-to-user restricted john.doe
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "john.doe"

 

Or a Group. 

~]$ oc adm policy add-scc-to-group restricted my-group
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted added: "my-group"

 

The oc describe clusterrolebindings command can then be used to list the User Accounts and Service Accounts that have the Security Context Contraint.

~]$ oc describe clusterrolebindings system:openshift:scc:hostmount-anyuid
Name:         system:openshift:scc:hostmount-anyuid
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  system:openshift:scc:hostmount-anyuid
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  default  my-project

 

The oc get securitycontextcontraints (or oc get scc) command can be used to list the Security Context Contraints.

~]$ oc get securitycontextconstraints
NAME                              PRIV    CAPS         SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY     READONLYROOTFS   VOLUMES
anyuid                            false   <no value>   MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
hostaccess                        false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","persistentVolumeClaim","projected","secret"]
hostmount-anyuid                  false   <no value>   MustRunAs   RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","nfs","persistentVolumeClaim","projected","secret"]
hostnetwork                       false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
nonroot                           false   <no value>   MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
privileged                        true    ["*"]        RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["*"]
restricted                        false   <no value>   MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]

 

  • anyuid - Same as the "restricted" Security Context Contraint but allows a pod to be run by any UID or GID.
  • hostaccess - Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
  • hostmount-anyuid - Same as the "restricted" Security Context Contraint but allows host mounts and running as any UID and any GID on the system.
  • hostnetwork - Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
  • nonroot - Same as the "restricted" Security Context Contraint but allows users to run with any non-root UID. The user must specify the UID or it must be specified in the manifest of the container runtime.
  • privileged - Allows:
    • Users to run privileged pods
    • Pods to mount host directories as volumes
    • Pods to run as any user
    • Pods to run with any MCS label
    • Pods to use the host’s IPC namespace
    • Pods to use the host’s PID namespace
    • Pods to use any FSGroup
    • Pods to use any supplemental group
    • Pods to use any seccomp profiles
    • Pods to request any capabilities
  • restricted - Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.
    • Ensures that pods cannot run as privileged
    • Ensures that pods cannot mount host directory volumes
    • Requires that a pod is run as a user in a pre-allocated range of UIDs
    • Requires that a pod is run with a pre-allocated MCS label
    • Allows pods to use any FSGroup
    • Allows pods to use any supplemental group

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 67323 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |