oomichi
commented
5 years ago Security Context Constraints from OpenShift
ref: https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html
SCC allows administrators to control permission for pods.
$ oc get scc
NAME PRIV CAPS HOSTDIR SELINUX RUNASUSER
privileged true [] true RunAsAny RunAsAny
restricted false [] false MustRunAs MustRunAsRangeThe original kubernetes itself doesn't support scc like:
$ kubectl get scc
error: the server doesn't have a resource type "scc"SCC is the OpenShift original, it doesn't exist on the original Kubernetes. Red Hat adds SCC to OpenShift on top of Kubernetes. Basically that depends on SELinux which is one of security systems of Linux. RHEL uses SELinux as security system of operating system, but Ubuntu uses AppArmor instead of SELinux. So that is completely Red Hat original.
How to apply SCC to a pod?
That is controlled with groups and users in SCC definition.
For example, the following is scc/priviledged:
# oc export scc/privileged
allowHostDirVolumePlugin: true
allowPrivilegedContainer: true
apiVersion: v1
groups:
- system:cluster-admins
- system:nodes
kind: SecurityContextConstraints
metadata:
creationTimestamp: null
name: privileged
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
users:
- system:serviceaccount:openshift-infra:build-controllerIn the above definition, users system:serviceaccount:openshift-infra:build-controller and groups system:cluster-admins and system:nodes have access to this scc/priviledged.
That means these users can run pods with privileged.
https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html