OpenShift SCC Customized

OpenShift version: 3.10

There are by default 7 SCCs in OpenShift, but that may not satisfy the demands and it’s better to create a new dedicated one to use for non-root deployment.

To get basic understand about SCC, see my blog <<OpenShift Security Context Constraint>>.

7 default existing SCCs are:

1
2
3
4
5
6
7
8
9
10
oc get scc

NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
privileged true [*] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*]
restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]

Don’t forget to examine SCC, such as oc describe scc privileged.

SCC Yaml Demo

How to write SCC yaml and what does each field mean? OpenShift SCC official

Create a file named as scc-customized.yaml, carefully fill the value to satisfy the demands

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
kind: SecurityContextConstraints
apiVersion: v1
metadata:
name: scc-customized
## permission
allowPrivilegedContainer: false
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
#allowedFlexVolumes: null
## linux capabilities, some pods require these
allowedCapabilities:
- SYS_NICE
- IPC_OWNER
- SYS_RESOURCE
requiredDropCapabilities: []
defaultAddCapabilities: []
## strategies
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: RunAsAny
fsGroup:
type: RunAsAny
supplementalGroups:
type: RunAsAny
## who can access this SCC
users: []
groups:
- system:authenticated
## may narrow down insteaf of `*`
volumes:
- '*'
1
oc create -f scc-customized.yaml

Then, for example, you can bind default service account to this SCC:

1
oc adm policy add-scc-to-user scc-customized system:serviceaccount:<project>:default

A default service account is used by all other pods unless they specify a different service account.

0%