Openshift - SCC
Last updated
Last updated
The original author of this page is Guillaume
In the context of OpenShift, SCC stands for Security Context Constraints. Security Context Constraints are policies that control permissions for pods running on OpenShift clusters. They define the security parameters under which a pod is allowed to run, including what actions it can perform and what resources it can access.
SCCs help administrators enforce security policies across the cluster, ensuring that pods are running with appropriate permissions and adhering to organizational security standards. These constraints can specify various aspects of pod security, such as:
Linux capabilities: Limiting the capabilities available to containers, such as the ability to perform privileged actions.
SELinux context: Enforcing SELinux contexts for containers, which define how processes interact with resources on the system.
Read-only root filesystem: Preventing containers from modifying files in certain directories.
Allowed host directories and volumes: Specifying which host directories and volumes a pod can mount.
Run as UID/GID: Specifying the user and group IDs under which the container process runs.
Network policies: Controlling network access for pods, such as restricting egress traffic.
By configuring SCCs, administrators can ensure that pods are running with the appropriate level of security isolation and access controls, reducing the risk of security vulnerabilities or unauthorized access within the cluster.
Basically, every time a pod deployment is requested, an admission process is executed as the following:
This additional security layer by default prohibits the creation of privileged pods, mounting of the host file system, or setting any attributes that could lead to privilege escalation.
Pod Escape PrivilegesTo list all the SCC with the Openshift Client :
All users have access the default SCC "restricted" and "restricted-v2" which are the strictest SCCs.
The SCC used for a pod is defined inside an annotation :
When a user has access to multiple SCCs, the system will utilize the one that aligns with the security context values. Otherwise, it will trigger a forbidden error.