...
Code Block |
---|
oc adm policy add-scc-to-user nonroot-v2 -z default -n ncyd<NAMESPACE> |
Tutorial
https://www.youtube.com/watch?v=WHbp2Pz-haE
https://developer.ibm.com/learningpaths/secure-context-constraints-openshift/scc-tutorial/
Steps
Login and create our demo project
Code Block | ||
---|---|---|
| ||
oc login -u kubeadmin https://api.crc.testing:6443
oc new-project demo
oc project demo
|
Apply our default deployment
...
theme | Emacs |
---|
...
...
See what SCC was applied using the describe command:
...
theme | Emacs |
---|
...
...
Code Block |
---|
apiVersion: v1
kind: Pod
metadata:
annotations:
openshift.io/scc: restricted-v2
...
spec:
containers:
- command:
- sh
- -c
- echo "Hello from user $(id -u)" && sleep infinity
image: ubi8/ubi-minimal
imagePullPolicy: Always
name: ubi-minimal
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000660000
...
securityContext:
fsGroup: 1000660000
seLinuxOptions:
level: s0:c26,c5
seccompProfile:
type: RuntimeDefault
serviceAccount: default
serviceAccountName: default
... |
In the above we can see the following values were applied:
Code Block |
---|
openshift.io/scc: restricted-v2 |
Code Block |
---|
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000660000 |
Code Block |
---|
securityContext:
fsGroup: 1000660000
seLinuxOptions:
level: s0:c26,c5
seccompProfile:
type: RuntimeDefault |
Code Block |
---|
serviceAccount: default
serviceAccountName: default |
Login to the POD
...
theme | Emacs |
---|
...
References
Reference | URL |
---|---|
Tutorial | https://developer.ibm.com/learningpaths/secure-context-constraints-openshift/scc-tutorial/ |
Hands-on Demo: Use SCCs to restrict and empower OpenShift workloads | https://www.youtube.com/watch?v=WHbp2Pz-haE |
Tutorial Code | https://github.com/IBM/scc-tutorial-assets/tree/main |
...