Red Hat SummitThis documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.このコンテンツは選択した言語では利用できません。
Chapter 7. Managing Security Context Constraints
7.1. Overview
Security context constraints allow administrators to control permissions for pods. To learn more about this API type, see the security context constraints (SCCs) architecture documentation. You can manage SCCs in your instance as normal API objects using the CLI.
You must have cluster-admin privileges to manage SCCs.
7.2. Listing Security Context Constraints
To get a current list of SCCs:
7.3. Examining a Security Context Constraints Object
To examine a particular SCC, use oc get, oc describe, oc export, or oc edit. For example, to examine the restricted SCC:
In order to preserve customized SCCs during upgrades, do not edit settings on the default SCCs other than priority, users, groups, labels, and annotations.
7.4. Creating New Security Context Constraints
To create a new SCC:
Define the SCC in a JSON or YAML file:
Example 7.1. Security Context Constraint Object Definition
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optionally, you can add drop capabilities to an SCC by setting the
requiredDropCapabilities:field with the desired values. Any specified capabilities will be dropped from the container. For example, to create an SCC with theKILL,MKNOD, andSYS_CHROOTrequired drop capabilities, add the following to the SCC object:requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT
requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOTCopy to Clipboard Copied! Toggle word wrap Toggle overflow You can see the list of possible values in the Docker documentation.
Then, run
oc createpassing the file to create it:oc create -f scc_admin.yaml
$ oc create -f scc_admin.yaml securitycontextconstraints/scc-adminCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify that the SCC was created:
oc get scc
$ oc get scc NAME PRIV CAPS HOSTDIR SELINUX RUNASUSER privileged true [] true RunAsAny RunAsAny restricted false [] false MustRunAs MustRunAsRange scc-admin true [] false RunAsAny RunAsAnyCopy to Clipboard Copied! Toggle word wrap Toggle overflow
7.5. Deleting Security Context Constraints
To delete an SCC:
oc delete scc <scc_name>
$ oc delete scc <scc_name>If you delete the default SCCs, they will not be regenerated upon restart, unless you delete all SCCs. If any constraint already exists within the system, no regeneration will take place.
7.6. Updating Security Context Constraints
To update an existing SCC:
oc edit scc <scc_name>
$ oc edit scc <scc_name>In order to preserve customized SCCs during upgrades, do not edit settings on the default SCCs other than priority, users, and groups.
7.7. Updating the Default Security Context Constraints
Default SCCs will be created when the master is started if they are missing. To reset SCCs to defaults, or update existing SCCs to new default definitions after an upgrade you may:
- Delete any SCC you would like to be reset and let it be recreated by restarting the master
-
Use the
oadm policy reconcile-sccscommand
The oadm policy reconcile-sccs command will set all SCC policies to the default values but retain any additional users, groups, labels, and annotations as well as priorities you may have already set. To view which SCCs will be changed you may run the command with no options or by specifying your preferred output with the -o <format> option.
After reviewing it is recommended that you back up your existing SCCs and then use the --confirm option to persist the data.
If you would like to reset priorities and grants, use the --additive-only=false option.
If you have customized settings other than priority, users, groups, labels, or annotations in an SCC, you will lose those settings when you reconcile.
7.8. How Do I?
The following describe common scenarios and procedures using SCCs.
7.8.1. Grant Access to the Privileged SCC
In some cases, an administrator might want to allow users or groups outside the administrator group access to create more privileged pods. To do so, you can:
- Determine the user or group you would like to have access to the SCC.
Run:
oadm policy add-scc-to-user <scc_name> <user_name> oadm policy add-scc-to-group <scc_name> <group_name>
$ oadm policy add-scc-to-user <scc_name> <user_name> $ oadm policy add-scc-to-group <scc_name> <group_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
For example, to allow the e2e-user access to the privileged SCC, run:
oadm policy add-scc-to-user privileged e2e-user
$ oadm policy add-scc-to-user privileged e2e-user7.8.2. Grant a Service Account Access to the Privileged SCC
First, create a service account. For example, to create service account mysvcacct in project myproject:
oc create serviceaccount mysvcacct -n myproject
$ oc create serviceaccount mysvcacct -n myproject
Then, add the service account to the privileged SCC.
oadm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct
$ oadm policy add-scc-to-user privileged system:serviceaccount:myproject:mysvcacct7.8.3. Enable Images to Run with USER in the Dockerfile
To relax the security in your cluster so that images are not forced to run as a pre-allocated UID, without granting everyone access to the privileged SCC:
Grant all authenticated users access to the anyuid SCC:
oadm policy add-scc-to-group anyuid system:authenticated
$ oadm policy add-scc-to-group anyuid system:authenticatedCopy to Clipboard Copied! Toggle word wrap Toggle overflow
This allows images to run as the root UID if no USER is specified in the Dockerfile.
7.8.4. Enable Container Images that Require Root
Some container images (examples: postgres and redis) require root access and have certain expectations about how volumes are owned. For these images, add the service account to the anyuid SCC.
oadm policy add-scc-to-user anyuid system:serviceaccount:myproject:mysvcacct
$ oadm policy add-scc-to-user anyuid system:serviceaccount:myproject:mysvcacct7.8.5. Use --mount-host on the Registry
It is recommended that persistent storage using PersistentVolume and PersistentVolumeClaim objects be used for registry deployments. If you are testing and would like to instead use the oadm registry command with the --mount-host option, you must first create a new service account for the registry and add it to the privileged SCC. See the Administrator Guide for full instructions.
7.8.6. Provide Additional Capabilities
In some cases, an image may require capabilities that Docker does not provide out of the box. You can provide the ability to request additional capabilities in the pod specification which will be validated against an SCC.
This allows images to run with elevated capabilities and should be used only if necessary. You should not edit the default restricted SCC to enable additional capabilities.
When used in conjunction with a non-root user, you must also ensure that the file that requires the additional capability is granted the capabilities using the setcap command. For example, in the Dockerfile of the image:
setcap cap_net_raw,cap_net_admin+p /usr/bin/ping
setcap cap_net_raw,cap_net_admin+p /usr/bin/ping
Further, if a capability is provided by default in Docker, you do not need to modify the pod specification to request it. For example, NET_RAW is provided by default and capabilities should already be set on ping, therefore no special steps should be required to run ping.
To provide additional capabilities:
- Create a new SCC
-
Add the allowed capability using the
allowedCapabilitiesfield. -
When creating the pod, request the capability in the
securityContext.capabilities.addfield.
7.8.7. Modify Cluster Default Behavior
To modify your cluster so that it does not pre-allocate UIDs, allows containers to run as any user, and prevents privileged containers:
In order to preserve customized SCCs during upgrades, do not edit settings on the default SCCs other than priority, users, groups, labels, and annotations.
Edit the restricted SCC:
oc edit scc restricted
$ oc edit scc restrictedCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Change
runAsUser.Typeto RunAsAny. -
Ensure
allowPrivilegedContaineris set to false. - Save the changes.
To modify your cluster so that it does not pre-allocate UIDs and does not allow containers to run as root:
Edit the restricted SCC:
oc edit scc restricted
$ oc edit scc restrictedCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Change
runAsUser.Typeto MustRunAsNonRoot. - Save the changes.
7.8.8. Use the hostPath Volume Plug-in
To relax the security in your cluster so that pods are allowed to use the hostPath volume plug-in without granting everyone access to the privileged SCC:
Edit the restricted SCC:
oc edit scc restricted
$ oc edit scc restrictedCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Add
allowHostDirVolumePlugin: true. - Save the changes.
7.8.9. Ensure That Admission Attempts to Use a Specific SCC First
You may control the sort ordering of SCCs in admission by setting the Priority field of the SCCs. Please see the SCC Prioritization section for more information on sorting.
7.8.10. Add an SCC to a User or Group
To add an SCC to a user:
oadm policy add-scc-to-user <scc_name> <user_name>
$ oadm policy add-scc-to-user <scc_name> <user_name>To add an SCC to a service account:
oadm policy add-scc-to-user <scc_name> \
system:serviceaccount:<serviceaccount_namespace>:<serviceaccount_name>
$ oadm policy add-scc-to-user <scc_name> \
system:serviceaccount:<serviceaccount_namespace>:<serviceaccount_name>To add an SCC to a group:
oadm policy add-scc-to-group <scc_name> <group_name>
$ oadm policy add-scc-to-group <scc_name> <group_name>To add an SCC to all service accounts in a namespace:
oadm policy add-scc-to-group <scc_name> \
system:serviceaccounts:<serviceaccount_namespace>
$ oadm policy add-scc-to-group <scc_name> \
system:serviceaccounts:<serviceaccount_namespace>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}