Configuration Guide for SCC - Security Context Constraints with Priority

Solution Unverified - Updated 9 Aug 2024

Environment

OpenShift Container Platform
- 3.x

Issue

The privileged scc is ignored though it already granted to default serviceaccount.
How does the priority work in scc ?
How to grant and revoke the scc to service accounts using oc CLI ?

Resolution

Changing priority is affected over OCP cluster, so you should adjust it according to your security or authorization policy on the aspect of cluster administration in advance.
If you want to use specific scc except anyuid, you should adjust the priority of the target scc.
- Because the other scc (e.g. privileged, nonroot ...) have none priority, it's meaning 0 priority, but anyuid has configured 10 priority as default value.
  - the larger value takes precedence in priority of scc.
For example, it's a standard guide for granting privileged to a default service account as follows.

# oc new-project scctest

# oc patch scc privileged -p "priority: 5"
securitycontextconstraints "privileged" patched

# oc get scc privileged
NAME         PRIV      CAPS      SELINUX    RUNASUSER   FSGROUP    SUPGROUP   PRIORITY   READONLYROOTFS   VOLUMES
privileged   true      [*]       RunAsAny   RunAsAny    RunAsAny   RunAsAny   5          false            [*]

# oc adm policy add-scc-to-user privileged -z default
scc "privileged" added to: ["system:serviceaccount:scctest:default"]

# oc run testpod --image=registry.access.redhat.com/rhel7 -- tail -f /dev/null
deploymentconfig "testpod" created

# oc describe pod
...
Annotations:    
...
          openshift.io/scc=privileged
...

Grant a scc to a service account using oc adm policy add-scc-to-user.

# oc adm policy add-scc-to-user <scc name> -z <service account name>

Revoke a scc from a service account using oc adm policy remove-scc-from-user.

# oc adm policy remove-scc-from-user <scc name> -z <service account name>

Root Cause

When the complete set of available SCCs are determined they are ordered by the SCC Prioritization Rules as follows.
- Highest priority first, nil (<none>) is considered a 0 priority
- If priorities are equal, the SCCs will be sorted from most restrictive to least restrictive
- If both priorities and restrictions are equal the SCCs will be sorted by name
For example, If you grant the privileged to a service account without adjusting priority, restricted scc takes effect following above rules.
- Because the restricted have more strict than privileged scc, though privileged and restricted (default scc) are same priority as none value.
Also be mindful of both groups and users who have permission to use the SCCs, as this will affect which SCC is chosen by default as well.

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.