...
NAME | PRIV | CAPS | SELINUX | RUNASUSER | FSGROUP | SUPGROUP | PRIORITY | READONLYROOTFS | VOLUMES |
---|---|---|---|---|---|---|---|---|---|
anyuid | false | - | MustRunAs | RunAsAny | RunAsAny | RunAsAny | 10 | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"] |
hostaccess | false | - | MustRunAs | MustRunAsRange | MustRunAs | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","hostPath","persistentVolumeClaim","projected","secret"] |
hostmount-anyuid | false | - | MustRunAs | RunAsAny | RunAsAny | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","hostPath","nfs","persistentVolumeClaim","projected","secret"] |
hostnetwork | false | - | MustRunAs | MustRunAsRange | MustRunAs | MustRunAs | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"] |
hostnetwork-v2
| false | ["NET_BIND_SERVICE"] | MustRunAs | MustRunAsRange | MustRunAs | MustRunAs | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
machine-api-termination-handler
| false | - | MustRunAs
| RunAsAny | MustRunAs | MustRunAs | - | false | ["downwardAPI","hostPath"]
|
node-exporter
| true | RunAsAny
| RunAsAny | RunAsAny | RunAsAny | - | false | ["*"]
| |
nonroot
| false | - | MustRunAs
| MustRunAsNonRoot | RunAsAny | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
nonroot-v2
| false | ["NET_BIND_SERVICE"] | MustRunAs
| MustRunAsNonRoot | RunAsAny | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
privileged
| true | ["*"] | RunAsAny
| RunAsAny | RunAsAny | RunAsAny | - | false | ["*"]
|
restricted
| false | - | MustRunAs
| MustRunAsRange | MustRunAs | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
restricted-v2
| false | ["NET_BIND_SERVICE"] | MustRunAs
| MustRunAsRange | MustRunAs | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
Assigning SCC to a Service
Code Block |
---|
oc adm policy add-scc-to-user nonroot-v2 -z default -n ncyd |
Tutorial
https://www.youtube.com/watch?v=WHbp2Pz-haE
...