openshift-docs/modules/security-context-constraints-rbac.adoc

// Module included in the following assemblies:
//
// * authentication/managing-security-context-constraints.adoc

[id="role-based-access-to-ssc_{context}"]
= Role-based access to security context constraints

You can specify SCCs as resources that are handled by RBAC. This allows
you to scope access to your SCCs to a certain project or to the entire
cluster. Assigning users, groups, or service accounts directly to an
SCC retains cluster-wide scope.

include::snippets/default-projects.adoc[]

To include access to SCCs for your role, specify the `scc` resource
when creating a role.

[source,terminal]
----
$ oc create role <role-name> --verb=use --resource=scc --resource-name=<scc-name> -n <namespace>
----

This results in the following role definition:

[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
...
  name: role-name <1>
  namespace: namespace <2>
...
rules:
- apiGroups:
  - security.openshift.io <3>
  resourceNames:
  - scc-name <4>
  resources:
  - securitycontextconstraints <5>
  verbs: <6>
  - use
----
<1> The role's name.
<2> Namespace of the defined role. Defaults to `default` if not specified.
<3> The API group that includes the `SecurityContextConstraints` resource.
Automatically defined when `scc` is specified as a resource.
<4> An example name for an SCC you want to have access.
<5> Name of the resource group that allows users to specify SCC names in
the `resourceNames` field.
<6> A list of verbs to apply to the role.

A local or cluster role with such a rule allows the subjects that are
bound to it with a role binding or a cluster role binding to use the
user-defined SCC called `scc-name`.

[NOTE]
====
Because RBAC is designed to prevent escalation, even project administrators
are unable to grant access to an SCC. By default, they are not
allowed to use the verb `use` on SCC resources, including the
`restricted-v2` SCC.
====