SCCs
NAME | PRIV | CAPS | SELINUX | RUNASUSER | FSGROUP | SUPGROUP | PRIORITY | READONLYROOTFS | VOLUMES |
---|---|---|---|---|---|---|---|---|---|
anyuid | false | - | MustRunAs | RunAsAny | RunAsAny | RunAsAny | 10 | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"] |
hostaccess | false | - | MustRunAs | MustRunAsRange | MustRunAs | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","hostPath","persistentVolumeClaim","projected","secret"] |
hostmount-anyuid | false | - | MustRunAs | RunAsAny | RunAsAny | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","hostPath","nfs","persistentVolumeClaim","projected","secret"] |
hostnetwork | false | - | MustRunAs | MustRunAsRange | MustRunAs | MustRunAs | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"] |
hostnetwork-v2
| false | ["NET_BIND_SERVICE"] | MustRunAs | MustRunAsRange | MustRunAs | MustRunAs | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
machine-api-termination-handler
| false | - | MustRunAs
| RunAsAny | MustRunAs | MustRunAs | - | false | ["downwardAPI","hostPath"]
|
node-exporter
| true | RunAsAny
| RunAsAny | RunAsAny | RunAsAny | - | false | ["*"]
| |
nonroot
| false | - | MustRunAs
| MustRunAsNonRoot | RunAsAny | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
nonroot-v2
| false | ["NET_BIND_SERVICE"] | MustRunAs
| MustRunAsNonRoot | RunAsAny | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
privileged
| true | ["*"] | RunAsAny
| RunAsAny | RunAsAny | RunAsAny | - | false | ["*"]
|
restricted
| false | - | MustRunAs
| MustRunAsRange | MustRunAs | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
restricted-v2
| false | ["NET_BIND_SERVICE"] | MustRunAs
| MustRunAsRange | MustRunAs | RunAsAny | - | false | ["configMap","csi","downwardAPI","emptyDir","ephemeral","persistentVolumeClaim","projected","secret"]
|
Assigning SCC to a Service
oc adm policy add-scc-to-user nonroot-v2 -z default -n <NAMESPACE>
Tutorial
https://www.youtube.com/watch?v=WHbp2Pz-haE
https://developer.ibm.com/learningpaths/secure-context-constraints-openshift/scc-tutorial/
Steps
Login and create our demo project
oc login -u kubeadmin https://api.crc.testing:6443 oc new-project demo oc project demo
Apply our default deployment
git clone https://github.com/IBM/scc-tutorial-assets.git cd scc-tutorial-assets oc apply -f deploy_default.yaml
See what SCC was applied using the describe command:
oc get pod/scc-tutorial-deploy-default-58db6b6f58-ww54l -o yaml
apiVersion: v1 kind: Pod metadata: annotations: openshift.io/scc: restricted-v2 ... spec: containers: - command: - sh - -c - echo "Hello from user $(id -u)" && sleep infinity image: ubi8/ubi-minimal imagePullPolicy: Always name: ubi-minimal resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000660000 ... securityContext: fsGroup: 1000660000 seLinuxOptions: level: s0:c26,c5 seccompProfile: type: RuntimeDefault serviceAccount: default serviceAccountName: default ...
In the above we can see the following values were applied:
openshift.io/scc: restricted-v2
securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000660000
securityContext: fsGroup: 1000660000 seLinuxOptions: level: s0:c26,c5 seccompProfile: type: RuntimeDefault
serviceAccount: default serviceAccountName: default
Login to the POD
oc rsh pod/scc-tutorial-deploy-default-58db6b6f58-ww54l or kubectl -n demo exec -it pod/scc-tutorial-deploy-default-58db6b6f58-ww54l bash
....
References
Reference | URL |
---|---|
Tutorial | https://developer.ibm.com/learningpaths/secure-context-constraints-openshift/scc-tutorial/ |
Hands-on Demo: Use SCCs to restrict and empower OpenShift workloads | https://www.youtube.com/watch?v=WHbp2Pz-haE |
Tutorial Code | https://github.com/IBM/scc-tutorial-assets/tree/main |