openshift-docs/modules/security-context-constraints-command-reference.adoc

// Module included in the following assemblies:
//
// * authentication/managing-security-context-constraints.adoc

[id="security-context-constraints-command-reference_{context}"]
= Security context constraints reference commands

You can manage SCCs in your instance as normal API objects using the CLI.

ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
[NOTE]
====
You must have `cluster-admin` privileges to manage SCCs.
====

[IMPORTANT]
====
Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or {product-title} is upgraded. During upgrades between some versions of {product-title}, the values of the default SCCs are reset to the default values, which discards all customizations to those SCCs.
====
endif::openshift-enterprise,openshift-webscale,openshift-origin[]

ifdef::openshift-dedicated[]
As a cluster administrator, you can list and view details for
SCCs, but cannot edit or delete the default SCCs.
endif::openshift-dedicated[]


[id="listing-security-context-constraints_{context}"]
== Listing SCCs

To get a current list of SCCs:

[source,terminal]
----
$ oc get scc
----

.Example output
[source,terminal]
----
NAME               PRIV    CAPS   SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY   READONLYROOTFS   VOLUMES
anyuid             false   []     MustRunAs   RunAsAny           RunAsAny    RunAsAny    10         false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
hostaccess         false   []     MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
hostmount-anyuid   false   []     MustRunAs   RunAsAny           RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
hostnetwork        false   []     MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
node-exporter      false   []     RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [*]
nonroot            false   []     MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
privileged         true    [*]    RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [*]
restricted         false   []     MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
----

[id="examining-a-security-context-constraints-object_{context}"]
== Examining an SCC

You can view information about a particular SCC, including which users, service accounts, and groups the SCC is applied to.

For example, to examine the `restricted` SCC:

[source,terminal]
----
$ oc describe scc restricted
----

.Example output
[source,terminal]
----
Name:					restricted
Priority:				<none>
Access:
  Users:				<none> <1>
  Groups:				system:authenticated <2>
Settings:
  Allow Privileged:			false
  Default Add Capabilities:		<none>
  Required Drop Capabilities:		KILL,MKNOD,SYS_CHROOT,SETUID,SETGID
  Allowed Capabilities:			<none>
  Allowed Seccomp Profiles:		<none>
  Allowed Volume Types:			configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
  Allow Host Network:			false
  Allow Host Ports:			false
  Allow Host PID:			false
  Allow Host IPC:			false
  Read Only Root Filesystem:		false
  Run As User Strategy: MustRunAsRange
    UID:				<none>
    UID Range Min:			<none>
    UID Range Max:			<none>
  SELinux Context Strategy: MustRunAs
    User:				<none>
    Role:				<none>
    Type:				<none>
    Level:				<none>
  FSGroup Strategy: MustRunAs
    Ranges:				<none>
  Supplemental Groups Strategy: RunAsAny
    Ranges:				<none>
----
<1> Lists which users and service accounts the SCC is applied to.
<2> Lists which groups the SCC is applied to.

ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
[NOTE]
====
To preserve customized SCCs during upgrades, do not edit settings on
the default SCCs.
//other than priority, users, groups, labels, and annotations.
====

[id="deleting-security-context-constraints_{context}"]
== Deleting an SCC

To delete an SCC:

[source,terminal]
----
$ oc delete scc <scc_name>
----

[NOTE]
====
If you delete a default SCC, it will regenerate when you restart the cluster.
====

[id="updating-security-context-constraints_{context}"]

== Updating an SCC

To update an existing SCC:

[source,terminal]
----
$ oc edit scc <scc_name>
----

[NOTE]
====
To preserve customized SCCs during upgrades, do not edit settings on
the default SCCs.
//other than priority, users, groups, labels, and annotations.
====
endif::openshift-enterprise,openshift-webscale,openshift-origin[]