openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-07 00:48:01 +01:00
Code Issues Releases Activity
Files
f7a24b39697c7cf161db94de606a27e5bec2b43e
openshift-docs/modules/security-context-constraints-rbac.adoc
Andrea Hoffer c94fa39560 Terminology style updates for auth book
2020-12-03 16:33:08 -05:00

67 lines
2.1 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * authentication/managing-security-context-constraints.adoc
[id="role-based-access-to-ssc_{context}"]
= Role-based access to security context constraints
You can specify SCCs as resources that are handled by RBAC. This allows
you to scope access to your SCCs to a certain project or to the entire
cluster. Assigning users, groups, or service accounts directly to an
SCC retains cluster-wide scope.
[NOTE]
====
You cannot assign a SCC to pods created in one of the default namespaces: `default`, `kube-system`, `kube-public`, `openshift-node`, `openshift-infra`, `openshift`. These namespaces should not be used for running pods or services.
====
To include access to SCCs for your role, specify the `scc` resource
when creating a role.
[source,terminal]
----
$ oc create role <role-name> --verb=use --resource=scc --resource-name=<scc-name> -n <namespace>
----
This results in the following role definition:
[source,yaml]
----
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
...
name: role-name <1>
namespace: namespace <2>
...
rules:
- apiGroups:
- security.openshift.io <3>
resourceNames:
- scc-name <4>
resources:
- securitycontextconstraints <5>
verbs: <6>
- use
----
<1> The role's name.
<2> Namespace of the defined role. Defaults to `default` if not specified.
<3> The API group that includes the `SecurityContextConstraints` resource.
Automatically defined when `scc` is specified as a resource.
<4> An example name for an SCC you want to have access.
<5> Name of the resource group that allows users to specify SCC names in
the `resourceNames` field.
<6> A list of verbs to apply to the role.
A local or cluster role with such a rule allows the subjects that are
bound to it with a role binding or a cluster role binding to use the
user-defined SCC called `scc-name`.
[NOTE]
====
Because RBAC is designed to prevent escalation, even project administrators
are unable to grant access to an SCC. By default, they are not
allowed to use the verb `use` on SCC resources, including the
`restricted` SCC.
====
View Git Blame Copy Permalink