OpenShift SecurityContextConstraints (SCC)
OpenShift SecurityContextConstraints (SCC)
It’s recommended to use RBAC to provide access to existing SCCs.
Using # oc adm policy add-scc-to-user anyuid -z useroot
will create a rolebinding to a role granting access to modify the SCC (this was changed from directly adding users/groups to the SCC object itself in earlier versions of OpenShift). Note that the -n
for namespace is not acknowledged correctly for this command at this time (2023-06-10, TODO: file an issue or fix the code), so you should be in the namespace of the serviceaccount to make this work correctly. You can also do the following:
# oc create role useroot --verb=use --resource=securitycontextconstraint --resource-name=anyuid
(create a role that gives access to the anyuuid scc)
# oc create rolebinding useroot --role=useroot --serviceaccount=<namespace>:<sa>
(bind it to the service account)
Creating a custom, more restrictive SCC
I would like a custom SCC that is more restrictive than our current default. I would like it to be available to all users to selectively use, which means creating a RoleBinding from a ServiceAccount to a ClusterRole that allows use of the particular SCC. In order to do that, I must add the system:authenticated group to the SCC. However, that results in a priority challenge with the existing restricted SCC that also is available to the same group, and based on our SCC priority rules, this new more restrictive SCC takes precendence over the default restricted SCC. This ends up breaking other applications which are part of the platform using the standard restricted SCC.
As a result, if you want to use your custom SCC as a default, you cannot configure it as default in OpenShift. I would recommend configuring it as a part of a pipeline and creating a policy to enforce the rule on pods inclusive or exclusive to a particular namespace. This way you could manage preventing platform pods from accidentally using the SCC.
TODO: link to github project with example restrictive SCC. Links to updated restricted v2 and upstream.
Walk through an example.