OpenShift version: 3.10
There are by default 7 SCCs in OpenShift, but that may not satisfy the demands and it’s better to create a new dedicated one to use for non-root deployment.
To get basic understand about SCC
, see my blog <<OpenShift Security Context Constraint>>
.
7 default existing SCCs are:
1 2 3 4 5 6 7 8 9 10 oc get scc NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret] hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret] hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret] hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret] nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret] privileged true [*] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*] restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
Don’t forget to examine SCC, such as oc describe scc privileged
.
SCC Yaml Demo
How to write SCC yaml and what does each field mean? OpenShift SCC official
Create a file named as scc-customized.yaml
, carefully fill the value to satisfy the demands
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 kind: SecurityContextConstraints apiVersion: v1 metadata: name: scc-customized allowPrivilegedContainer: false allowHostIPC: true allowHostNetwork: true allowHostPID: true allowHostPorts: true allowedCapabilities: - SYS_NICE - IPC_OWNER - SYS_RESOURCE requiredDropCapabilities: []defaultAddCapabilities: []runAsUser: type: MustRunAsNonRoot seLinuxContext: type: RunAsAny fsGroup: type: RunAsAny supplementalGroups: type: RunAsAny users: []groups: - system:authenticated volumes: - '*'
1 oc create -f scc-customized.yaml
Then, for example, you can bind default
service account to this SCC
:
1 oc adm policy add-scc-to-user scc-customized system:serviceaccount:<project>:default
A default
service account is used by all other pods unless they specify a different service account.