OpenShift SCC Customized

Posted on Edited on In

OpenShift version: 3.10

There are by default 7 SCCs in OpenShift, but that may not satisfy the demands and it’s better to create a new dedicated one to use for non-root deployment.

To get basic understand about SCC, see my blog <<OpenShift Security Context Constraint>>.

7 default existing SCCs are:

1
2
3
4
5
6
7
8
9
10
oc get scc

NAME               PRIV      CAPS      SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY   READONLYROOTFS   VOLUMES
anyuid             false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    10         false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
hostaccess         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
hostmount-anyuid   false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
hostnetwork        false     []        MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
nonroot            false     []        MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
privileged         true      [*]       RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [*]
restricted         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]

Don’t forget to examine SCC, such as oc describe scc privileged.

SCC Yaml Demo

How to write SCC yaml and what does each field mean? OpenShift SCC official

Create a file named as scc-customized.yaml, carefully fill the value to satisfy the demands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
kind: SecurityContextConstraints
apiVersion: v1
metadata:
  name: scc-customized
## permission
allowPrivilegedContainer: false
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
#allowedFlexVolumes: null
## linux capabilities, some pods require these
allowedCapabilities:
- SYS_NICE
- IPC_OWNER
- SYS_RESOURCE
requiredDropCapabilities: []
defaultAddCapabilities: []
## strategies
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
## who can access this SCC
users: []
groups:
- system:authenticated
## may narrow down insteaf of `*`
volumes:
- '*'
1
oc create -f scc-customized.yaml

Then, for example, you can bind default service account to this SCC:

1
oc adm policy add-scc-to-user scc-customized system:serviceaccount:<project>:default

A default service account is used by all other pods unless they specify a different service account.