openshift-docs/authentication/managing-security-context-constraints.adoc

:_mod-docs-content-type: ASSEMBLY
[id="managing-pod-security-policies"]
= Managing security context constraints
include::_attributes/common-attributes.adoc[]
:context: configuring-internal-oauth

toc::[]

In {product-title}, you can use security context constraints (SCCs) to control permissions for the pods in your cluster.

Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator, you can also create your own SCCs by using the OpenShift CLI (`oc`).

[IMPORTANT]
====
Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or
ifndef::openshift-rosa,openshift-rosa-hcp[]
{product-title}
endif::[]
ifdef::openshift-rosa,openshift-rosa-hcp[]
ROSA
endif::openshift-rosa,openshift-rosa-hcp[]
is upgraded. Additionally, the default SCC values are reset to the defaults during some cluster upgrades, which discards all customizations to those SCCs.
ifdef::openshift-origin,openshift-enterprise,openshift-webscale,openshift-dedicated,openshift-rosa,openshift-rosa-hcp[]

Instead of modifying the default SCCs, create and modify your own SCCs as needed. For detailed steps, see xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-creating_configuring-internal-oauth[Creating security context constraints].
endif::[]
====

ifdef::openshift-dedicated[]
[NOTE]
====
In {product-title} deployments, you can create your own SCCs only for clusters that use the Customer Cloud Subscription (CCS) model. You cannot create SCCs for {product-title} clusters that use a Red Hat cloud account, because SCC resource creation requires `cluster-admin` privileges.
====
endif::openshift-dedicated[]

include::modules/security-context-constraints-about.adoc[leveloffset=+1]

include::modules/security-context-constraints-pre-allocated-values.adoc[leveloffset=+1]

include::modules/security-context-constraints-example.adoc[leveloffset=+1]

include::modules/security-context-constraints-creating.adoc[leveloffset=+1]

//  Configuring a workload to require a specific SCC
include::modules/security-context-constraints-requiring.adoc[leveloffset=+1]

include::modules/security-context-constraints-rbac.adoc[leveloffset=+1]

include::modules/security-context-constraints-command-reference.adoc[leveloffset=+1]

[role="_additional-resources"]
[id="additional-resources_configuring-internal-oauth"]
== Additional resources

ifndef::openshift-rosa-hcp[]
* xref:../support/getting-support.adoc#getting-support[Getting support]
endif::openshift-rosa-hcp[]
ifdef::openshift-rosa-hcp[]
* xref:../support/getting-support.adoc#getting-support[Getting support]
endif::openshift-rosa-hcp[]