mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-06 06:46:26 +01:00
89 lines
2.2 KiB
Plaintext
89 lines
2.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * authentication/managing-security-context-constraints.adoc
|
|
|
|
[id="security-context-constraints-creating_{context}"]
|
|
= Creating security context constraints
|
|
|
|
You can create a security context constraint (SCC) by using the CLI.
|
|
|
|
.Prerequisites
|
|
|
|
* You must install the `oc` command line.
|
|
* Your account must have `cluster-admin` privileges to create SCCs.
|
|
|
|
.Procedure
|
|
|
|
. Define the SCC in a JSON or YAML file:
|
|
+
|
|
.`SecurityContextConstraints` object definition
|
|
----
|
|
kind: SecurityContextConstraints
|
|
apiVersion: security.openshift.io/v1
|
|
metadata:
|
|
name: scc-admin
|
|
allowPrivilegedContainer: true
|
|
runAsUser:
|
|
type: RunAsAny
|
|
seLinuxContext:
|
|
type: RunAsAny
|
|
fsGroup:
|
|
type: RunAsAny
|
|
supplementalGroups:
|
|
type: RunAsAny
|
|
users:
|
|
- my-admin-user
|
|
groups:
|
|
- my-admin-group
|
|
----
|
|
+
|
|
Optionally, you can add drop capabilities to an SCC by setting the
|
|
`requiredDropCapabilities` field with the desired values. Any specified
|
|
capabilities will be dropped from the container. For example, to create an SCC
|
|
with the `KILL`, `MKNOD`, and `SYS_CHROOT` required drop capabilities, add
|
|
the following to the SCC object:
|
|
+
|
|
----
|
|
requiredDropCapabilities:
|
|
- KILL
|
|
- MKNOD
|
|
- SYS_CHROOT
|
|
----
|
|
+
|
|
You can see the list of possible values in the
|
|
link:https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities[Docker
|
|
documentation].
|
|
+
|
|
[TIP]
|
|
====
|
|
Because capabilities are passed to the Docker, you can use a special `ALL` value
|
|
to drop all possible capabilities.
|
|
====
|
|
|
|
. Then, run `oc create` passing the file to create it:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f scc_admin.yaml
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
securitycontextconstraints "scc-admin" created
|
|
----
|
|
|
|
. Verify that the SCC was created:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get scc scc-admin
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
|
|
scc-admin true [] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [awsElasticBlockStore azureDisk azureFile cephFS cinder configMap downwardAPI emptyDir fc flexVolume flocker gcePersistentDisk gitRepo glusterfs iscsi nfs persistentVolumeClaim photonPersistentDisk quobyte rbd secret vsphere]
|
|
----
|