Create a custom SCC and assign to users or groups

Solution Unverified - Updated 6 Jun 2025

Environment

OpenShift Container Platform (OCP) 3.11

Issue

How do I mitigate CVE-2020-14336
The documentation says (not to modify existing SCC)[https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html#modify-cluster-default-behavior] to avoid modifying cluster-wide behaviour. How do I adjust the defaults in that case.
How do I drop an existing Linux capability of only certain users, or groups pods?

Resolution

Make a copy of the existing SCC you want to modify
oc get scc restricted -o yaml > restricted-scc.yaml
Make the desired changes eg: drop NET_RAW capability:

allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: mitigation for CVE-2020-14336. Use in place of restricted SCC
  name: nonetraw
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
- NET_RAW
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

Make sure to also change the name in the metadata section as shown above

Make sure to set the priority to something greater than 0, see this article

Create the new SCC:

$ oc apply -f restricted-scc.yaml
securitycontextconstraints.security.openshift.io/nonetraw created

Apply the SCC to users or groups:
oc adm policy add-scc-to-user nonetraw <group>

Documentation Reference: This page is not included, but the link has been rewritten to point to the nearest parent document.This page is not included, but the link has been rewritten to point to the nearest parent document.https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html

SBR

Shift

Product(s)

Red Hat OpenShift Container Platform

Category

Secure

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.