Using SCC anyuid in OKD-OpenShift » Historie » Revision 3
Revision 2 (Peter Pfläging, 21.07.2021 19:53) → Revision 3/6 (Peter Pfläging, 22.07.2021 06:27)
# Let root containers run in a specific namespace (OKD / OpenShift) It's not advised, but there are cases where you have to run Pods as root. There's a SecurityContextConstraint (SCC) in OpenShift handling this: `oc get scc anyuid -o yaml` ```yaml kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" kubernetes.io/description: anyuid provides all features of the restricted OKD Openshift SCC but allows users to run with any UID and any GID. release.openshift.io/create-only: "true" name: anyuid allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null defaultAddCapabilities: null fsGroup: type: RunAsAny groups: - system:cluster-admins priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected ``` AnyUID Reference: <https://docs.okd.io/latest/authentication/managing-security-context-constraints.html> The best and practicable way is to create a special namespace for this *evil* pods and restrict the access to this namespaces as wide as you can. ## Set this with commandline tools OK, we make a namespace `evilone-notsecure` `oc new-project evilone-notsecure --description="Evil Project for root Containers (need anyuid)" --display-name="Evil One (anyuid!)"` Then we set the SCC for the default Systemaccount in this project: `oc adm oc policy add-scc-to-user -z default -n evilone-notsecure anyuid` ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system:openshift:scc:anyuid namespace: mysupercoolnamespace roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:openshift:scc:anyuid subjects: - kind: ServiceAccount name: default namespace: mysupercoolnamespace ``` ```yaml kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. release.openshift.io/create-only: "true" name: anyuid allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null defaultAddCapabilities: null fsGroup: type: RunAsAny groups: - system:cluster-admins priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected ```
pflaeging.net