SCC example

[tamalsaha]

https://github.com/tektoncd/pipeline/blob/c7c7385863ab53bbcb6a1912d4b89fc2c1ccc7ab/docs/install.md#installing-tekton-pipelines-on-openshiftminishift

oc new-project tekton-pipelines
oc adm policy add-scc-to-user scc_name -z sa_name

allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:cluster-admins
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: anyuid provides all features of the restricted SCC
      but allows users to run with any UID and any GID.
  creationTimestamp: "2019-05-18T16:25:51Z"
  name: anyuid
  resourceVersion: "17055"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid
  uid: 9a120266-7989-11e9-87e7-080027c73d7d
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users:
- system:serviceaccount:tekton-pipelines:tekton-pipelines-controller
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

[tamalsaha]

To modify your cluster so that it does not pre-allocate UIDs, allows containers to run as any user, and prevents privileged containers:

$ oc edit scc restricted

Change runAsUser.Type to RunAsAny.

https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html

[tamalsaha]

By default, the execution of any container will be granted the restricted SCC and only the capabilities defined by that SCC.

https://blog.openshift.com/understanding-service-accounts-sccs/