openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity
Files
9bc8568edddbc83ceb45cd0bb353046fc9190418
openshift-docs/modules/security-context-constraints-command-reference.adoc
Andrea Hoffer 128a3f73be OSDOCS-1898: Improving About SCC docs
2021-09-08 20:43:33 +00:00

138 lines
4.7 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * authentication/managing-security-context-constraints.adoc
[id="security-context-constraints-command-reference_{context}"]
= Reference of security context constraints commands
You can manage security context constraints (SCCs) in your instance as normal API objects using the OpenShift CLI (`oc`).
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
[NOTE]
====
You must have `cluster-admin` privileges to manage SCCs.
====
endif::openshift-enterprise,openshift-webscale,openshift-origin[]
ifdef::openshift-dedicated[]
As a cluster administrator, you can list and view details for
SCCs, but cannot edit or delete the default SCCs.
endif::openshift-dedicated[]
[id="listing-security-context-constraints_{context}"]
== Listing security context constraints
To get a current list of SCCs:
[source,terminal]
----
$ oc get scc
----
.Example output
[source,terminal]
----
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
node-exporter false [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*]
nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
privileged true [*] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*]
restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
----
[id="examining-a-security-context-constraints-object_{context}"]
== Examining security context constraints
You can view information about a particular SCC, including which users, service accounts, and groups the SCC is applied to.
For example, to examine the `restricted` SCC:
[source,terminal]
----
$ oc describe scc restricted
----
.Example output
[source,terminal]
----
Name: restricted
Priority: <none>
Access:
Users: <none> <1>
Groups: system:authenticated <2>
Settings:
Allow Privileged: false
Default Add Capabilities: <none>
Required Drop Capabilities: KILL,MKNOD,SYS_CHROOT,SETUID,SETGID
Allowed Capabilities: <none>
Allowed Seccomp Profiles: <none>
Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
Allow Host Network: false
Allow Host Ports: false
Allow Host PID: false
Allow Host IPC: false
Read Only Root Filesystem: false
Run As User Strategy: MustRunAsRange
UID: <none>
UID Range Min: <none>
UID Range Max: <none>
SELinux Context Strategy: MustRunAs
User: <none>
Role: <none>
Type: <none>
Level: <none>
FSGroup Strategy: MustRunAs
Ranges: <none>
Supplemental Groups Strategy: RunAsAny
Ranges: <none>
----
<1> Lists which users and service accounts the SCC is applied to.
<2> Lists which groups the SCC is applied to.
ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
[NOTE]
====
To preserve customized SCCs during upgrades, do not edit settings on
the default SCCs.
//other than priority, users, groups, labels, and annotations.
====
[id="deleting-security-context-constraints_{context}"]
== Deleting security context constraints
To delete an SCC:
[source,terminal]
----
$ oc delete scc <scc_name>
----
[NOTE]
====
If you delete a default SCC, it will regenerate when you restart the cluster.
====
[id="updating-security-context-constraints_{context}"]
== Updating security context constraints
To update an existing SCC:
[source,terminal]
----
$ oc edit scc <scc_name>
----
[NOTE]
====
To preserve customized SCCs during upgrades, do not edit settings on
the default SCCs.
//other than priority, users, groups, labels, and annotations.
====
endif::openshift-enterprise,openshift-webscale,openshift-origin[]
View Git Blame Copy Permalink