OpenShift- Configuring Application Security using SCC.

Khemnath chauhan
2 min readJan 14, 2024

Introduction to SCC:

OpenShift SCC is a set of policies and restrictions applied to pods to define their security boundaries. It specifies the actions that a pod is allowed to perform and the resources it can access. SCCs help enforce the principle of least privilege, meaning that pods only have the minimum permissions necessary to perform their intended tasks.

SCCs limit the access from a running pod in OpenShift to the host environment. SCCs control:
• Running privileged containers.
• Requesting extra capabilities for a container
• Using host directories as volumes.
• Changing the SELinux context of a container.
• Changing the user ID.

You can run the following command as a cluster administrator to list the SCCs defined by OpenShift:

$ oc get scc

OpenShift provides eight default SCCs:
• anyuid
• hostaccess
• hostmount-anyuid
• hostnetwork
• node-exporter
• nonroot
• privileged
• restricted

To get additional information about an SCC, use the oc describe command:

[user@host ~]$ oc describe scc anyuid
Name: anyuid
Priority: 10
Access:
Users: <none>
Groups: system:cluster-admins
Settings:
- - - -
- - - -
- - - -

** anyuid SCC have all the power ( meaning all the power of root or actual power of root).

Most pods created by OpenShift use the SCC named restricted, which provides limited access to resources external to OpenShift. Use the oc describe command to view the security context constraint that a pod uses.

$ oc describe pod test-123456 -n openshift-console | grep scc \
openshift.io/scc: restricted

Assignment to Pods:

SCCs are assigned to pods based on the service account associated with the pod. Each pod runs under a specific service account, and that service account is associated with an SCC. This association ensures that the pod adheres to the security policies defined by the SCC.

  1. Create an sa account.
$ oc create sa test-sa

2. Provide the power of anyuid SCC to the above create serviceAccount.

$ oc adm policy add-scc-to-user anyuid -z test-sa



Usage:
oc adm policy add-scc-to-user SCC (USER | -z SERVICEACCOUNT) [USER ...] [flags] [options]

-z, --serviceaccount=[]:
service account in the current namespace to use as a user

Now modify the application to use the newly created service account.

3. Assign the test-sa service account to test-app deployment.

$ oc set serviceaccount deploymentconfig test-app test-sa

--

--