Similar to the way that RBAC resources control user access, administrators can use security context constraints (SCCs) to control permissions for pods. These permissions include actions that a pod can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with to be accepted into the system.
Security context constraints allow an administrator to control:
-
Whether a pod can run privileged containers with the
allowPrivilegedContainer
flag. -
Whether a pod is constrained with the
allowPrivilegeEscalation
flag. -
The capabilities that a container can request
-
The use of host directories as volumes
-
The SELinux context of the container
-
The container user ID
-
The use of host namespaces and networking
-
The allocation of an
FSGroup
that owns the pod volumes -
The configuration of allowable supplemental groups
-
Whether a container requires write access to its root file system
-
The usage of volume types
-
The configuration of allowable
seccomp
profiles
By default the cluster contains several default security context constraints (SCCs) with different sets of permissions and privileges as per the documentation.
You can specify SCCs as resources that are handled by RBAC. This allows you to scope access to your SCCs to a certain project or to the entire cluster. Assigning users, groups, or service accounts directly to an SCC retains cluster-wide scope.
For example when you assign anyuid scc to service account my-sa
$ oc adm policy add-scc-to-user anyuid -z my-sa
corresponding role will be created and bound to the service account with cluster scope.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:openshift:scc:anyuid
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- anyuid
resources:
- securitycontextconstraints
verbs:
- use
As an cluster admin using oc cli you can check who has permissions to use specific scc.
$ oc adm policy who-can use scc anyuid
resourceaccessreviewresponse.authorization.openshift.io/<unknown>
Namespace: default
Verb: use
Resource: securitycontextconstraints.security.openshift.io
Users: system:admin
system:serviceaccount:apps-mlapps:my-sa
system:serviceaccount:apps-sealed-secrets:secrets-controller
...
Groups: system:cluster-admins
system:masters
If you are using Advanced Cluster Security for Kubernetes you can also check who has these permissions using ACS Central web UI:
On the left hand side Menu click on Configuration Management and next on the right top side click on RBAC Visibility & Configuration dropdown list and select Roles. Finally type "Role: system:openshift:scc" in the filter.
Click on any available link in User & Groups or Service Account columns to reveal list of users, groups or service accounts bound to selected SCC.