12.4. Creating security context constraints
You can create security context constraints (SCCs) by using the OpenShift CLI (oc).
Prerequisites
-
Install the OpenShift CLI (
oc). -
Log in to the cluster as a user with the
cluster-adminrole.
Procedure
Define the SCC in a YAML file named
scc_admin.yaml:SecurityContextConstraintsobject definitionkind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: name: scc-admin allowPrivilegedContainer: true runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny fsGroup: type: RunAsAny supplementalGroups: type: RunAsAny users: - my-admin-user groups: - my-admin-group
Optionally, you can specify drop capabilities for an SCC by setting the
requiredDropCapabilitiesfield with the desired values. Any specified capabilities are dropped from the container. For example, to create an SCC with theKILL,MKNOD, andSYS_CHROOTrequired drop capabilities, add the following to the SCC object:requiredDropCapabilities: - KILL - MKNOD - SYS_CHROOT
CRI-O supports the same list of capability values that are found in the Docker documentation.
Create the SCC by passing in the file:
$ oc create -f scc_admin.yaml
Example output
securitycontextconstraints "scc-admin" created
Verification
Verify that the SCC was created:
$ oc get scc scc-admin
Example output
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES scc-admin true [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [awsElasticBlockStore azureDisk azureFile cephFS cinder configMap downwardAPI emptyDir fc flexVolume flocker gcePersistentDisk gitRepo glusterfs iscsi nfs persistentVolumeClaim photonPersistentDisk quobyte rbd secret vsphere]
