Overview

Administrators can use Security Context Constraints (SCCs) to control permissions for pods. SCCs allow an administrator to control:

  • Whether a pod can run privileged containers.
  • The capabilities that a container can request.
  • The use of host directories as volumes.
  • The SELinux context of the container.
  • The container user ID.
  • The use of host namespaces and networking.
  • The allocation of an FSGroup that owns the pod’s volumes.
  • The configuration of allowable supplemental groups.
  • Whether a container requires the use of a read only root file system.
  • The usage of volume types.
  • The configuration of allowable seccomp profiles.

Editing Role Rights

For example to edit the rights associated with privileged

 
oc edit privileged 

You will see one can modify the associated rights:

allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegeEscalation: true
allowPrivilegedContainer: true
allowedCapabilities:

Policy

 oc  adm policy 

These commands allow you to assign and manage the roles and policies that apply to users. The reconcile commands allow you to reset and upgrade your system policies to the latest default policies.

To see more information on roles and policies, use the 'get' and 'describe' commands on the following resources:

  • 'clusterroles'
  • 'clusterpolicy'
  • 'clusterrolebindings'
  • 'roles'
  • 'policy'
  • 'rolebindings'
  • 'scc'.
Usage:
  oc adm policy [flags]

Discover:
  who-can                         List who can perform the specified action on a resource
  scc-subject-review              Check whether a user or a ServiceAccount can create a Pod.
  scc-review                      Checks which ServiceAccount can create a Pod

Manage project membership:
  remove-user                     Remove user from the current project
  remove-group                    Remove group from the current project

Assign roles to users and groups:
  add-role-to-user                Add a role to users or serviceaccounts for the current project
  add-role-to-group               Add a role to groups for the current project
  remove-role-from-user           Remove a role from users for the current project
  remove-role-from-group          Remove a role from groups for the current project

Assign cluster roles to users and groups:
  add-cluster-role-to-user        Add a role to users for all projects in the cluster
  add-cluster-role-to-group       Add a role to groups for all projects in the cluster
  remove-cluster-role-from-user   Remove a role from users for all projects in the cluster
  remove-cluster-role-from-group  Remove a role from groups for all projects in the cluster

Manage policy on pods and containers:
  add-scc-to-user                 Add security context constraint to users or a service account
  add-scc-to-group                Add security context constraint to groups
  remove-scc-from-user            Remove user from scc
  remove-scc-from-group           Remove group from scc

Upgrade and repair system policy:
  reconcile-cluster-roles         Update cluster roles to match the recommended bootstrap policy
  reconcile-cluster-role-bindings Update cluster role bindings to match the recommended bootstrap policy
  reconcile-sccs                  Replace cluster SCCs to match the recommended bootstrap policy
oc describe scc privileged

Grant access to the privileged scc to the service account running the DaemonSet deploy through CLI.

# oc adm policy add-scc-to-user privileged -z logging-apps

Or Edit the privileged scc correctly through following CLI.

# oc edit scc privileged

Allow Privileged

To allow privileged containers

 oc adm policy add-scc-to-user privileged system:serviceaccount:platform-rdonvoan:default

where

 oc adm policy add-scc-to-user privileged  system:serviceaccount:<namespace>:<user>

Jenkins system:anoymous rights

 
oc adm policy add-cluster-role-to-user edit system:anonymous
 
openshift_roles_and_security.txt · Last modified: 2020/02/18 02:29 by root
 
RSS - 200 © CrosswireDigitialMedia Ltd