mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 21:46:22 +01:00
132 lines
4.5 KiB
Plaintext
132 lines
4.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * authentication/managing-security-context-constraints.adoc
|
|
|
|
[id="security-context-constraints-command-reference_{context}"]
|
|
= Reference of security context constraints commands
|
|
|
|
You can manage security context constraints (SCCs) in your instance as normal API objects using the OpenShift CLI (`oc`).
|
|
|
|
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
|
|
[NOTE]
|
|
====
|
|
You must have `cluster-admin` privileges to manage SCCs.
|
|
====
|
|
|
|
endif::openshift-enterprise,openshift-webscale,openshift-origin[]
|
|
|
|
[id="listing-security-context-constraints_{context}"]
|
|
== Listing security context constraints
|
|
|
|
To get a current list of SCCs:
|
|
|
|
[source,terminal]
|
|
----
|
|
$ oc get scc
|
|
----
|
|
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
|
|
anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
|
|
hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
|
|
hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
|
|
hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
|
|
node-exporter false [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*]
|
|
nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
|
|
privileged true [*] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*]
|
|
restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
|
|
----
|
|
|
|
[id="examining-a-security-context-constraints-object_{context}"]
|
|
== Examining security context constraints
|
|
|
|
You can view information about a particular SCC, including which users, service accounts, and groups the SCC is applied to.
|
|
|
|
For example, to examine the `restricted` SCC:
|
|
|
|
[source,terminal]
|
|
----
|
|
$ oc describe scc restricted
|
|
----
|
|
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
Name: restricted
|
|
Priority: <none>
|
|
Access:
|
|
Users: <none> <1>
|
|
Groups: system:authenticated <2>
|
|
Settings:
|
|
Allow Privileged: false
|
|
Default Add Capabilities: <none>
|
|
Required Drop Capabilities: KILL,MKNOD,SYS_CHROOT,SETUID,SETGID
|
|
Allowed Capabilities: <none>
|
|
Allowed Seccomp Profiles: <none>
|
|
Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
|
|
Allow Host Network: false
|
|
Allow Host Ports: false
|
|
Allow Host PID: false
|
|
Allow Host IPC: false
|
|
Read Only Root Filesystem: false
|
|
Run As User Strategy: MustRunAsRange
|
|
UID: <none>
|
|
UID Range Min: <none>
|
|
UID Range Max: <none>
|
|
SELinux Context Strategy: MustRunAs
|
|
User: <none>
|
|
Role: <none>
|
|
Type: <none>
|
|
Level: <none>
|
|
FSGroup Strategy: MustRunAs
|
|
Ranges: <none>
|
|
Supplemental Groups Strategy: RunAsAny
|
|
Ranges: <none>
|
|
----
|
|
<1> Lists which users and service accounts the SCC is applied to.
|
|
<2> Lists which groups the SCC is applied to.
|
|
|
|
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
|
|
[NOTE]
|
|
====
|
|
To preserve customized SCCs during upgrades, do not edit settings on
|
|
the default SCCs.
|
|
//other than priority, users, groups, labels, and annotations.
|
|
====
|
|
|
|
[id="deleting-security-context-constraints_{context}"]
|
|
== Deleting security context constraints
|
|
|
|
To delete an SCC:
|
|
|
|
[source,terminal]
|
|
----
|
|
$ oc delete scc <scc_name>
|
|
----
|
|
|
|
[NOTE]
|
|
====
|
|
If you delete a default SCC, it will regenerate when you restart the cluster.
|
|
====
|
|
|
|
[id="updating-security-context-constraints_{context}"]
|
|
|
|
== Updating security context constraints
|
|
|
|
To update an existing SCC:
|
|
|
|
[source,terminal]
|
|
----
|
|
$ oc edit scc <scc_name>
|
|
----
|
|
|
|
[NOTE]
|
|
====
|
|
To preserve customized SCCs during upgrades, do not edit settings on
|
|
the default SCCs.
|
|
//other than priority, users, groups, labels, and annotations.
|
|
====
|
|
endif::openshift-enterprise,openshift-webscale,openshift-origin[]
|