Skip to content

SCC anyuid example

Create project and service account

1
2
oc new-project anyuid-demo
oc create sa anyuid

Allow service account to use scc anyuid

prior 4.3.8

1
oc adm policy add-scc-to-user -n anyuid-demo -z anyuid anyuid

past 4.3.8

Use Role-based access to Security Context Constraints.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
oc create -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: scc-anyuid
  namespace: anyuid-demo
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - anyuid
  resources:
  - securitycontextconstraints
  verbs:
  - use
EOF

oc create -f - <<EOF
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: sa-to-scc-anyuid
  namespace: anyuid-demo
subjects:
  - kind: ServiceAccount
    name: anyuid
roleRef:
  kind: Role
  name: scc-anyuid
  apiGroup: rbac.authorization.k8s.io
EOF

Deploy

without-anyuid

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
oc apply -f - <<EOF
apiVersion: v1
kind: DeploymentConfig
metadata:
  name: without-anyuid
spec:
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        deploymentconfig: without-anyuid
    spec:
      containers:
      - image: ubi8/ubi-minimal
        name: container
        command:
          - "/bin/sh"
          - "-c"
          - |
            while true ; do
              date;
              echo -n "id: "
              id;
              sleep 1;
            done;
  triggers:
  - type: ConfigChange
EOF

with-anyuid

Note

Important is the serviceAccount and serviceAccountName!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
oc apply -f - <<EOF
apiVersion: v1
kind: DeploymentConfig
metadata:
  name: with-anyuid
spec:
  replicas: 1
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        deploymentconfig: with-anyuid
    spec:
      serviceAccount: anyuid
      serviceAccountName: anyuid
      containers:
      - image: ubi8/ubi-minimal
        name: container
        command:
          - "/bin/sh"
          - "-c"
          - |
            while true ; do
              date;
              echo -n "id: "
              id;
              sleep 1;
            done;
  triggers:
  - type: ConfigChange
EOF

Result:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
$ oc get pods -l deployment -o "custom-columns=NAME:.metadata.name,SCC:.metadata.annotations.openshift\.io/scc,SERVICEACCOUNT:.spec.serviceAccountName"
NAME                     SCC          SERVICEACCOUNT
with-anyuid-1-gxczf      anyuid       anyuid
without-anyuid-1-fdhfb   restricted   default

$ oc logs  dc/without-anyuid  | tail -2
Fri Apr 17 10:11:14 UTC 2020
id: uid=1000540000(1000540000) gid=0(root) groups=0(root),1000540000
$ oc logs  dc/with-anyuid  | tail -2
Fri Apr 17 10:11:18 UTC 2020
id: uid=0(root) gid=0(root) groups=0(root)
2021-08-03 2020-04-17 Contributors: Robert Bohne