Using SCC anyuid in OKD-OpenShift » Historie » Zyklus 5
Peter Pfläging, 22.07.2021 07:10
| 1 | 3 | Peter Pfläging | # Let root containers run in a specific namespace (OKD / OpenShift) |
|---|---|---|---|
| 2 | |||
| 3 | It's not advised, but there are cases where you have to run Pods as root. There's a SecurityContextConstraint (SCC) in OpenShift handling this: |
||
| 4 | |||
| 5 | `oc get scc anyuid -o yaml` |
||
| 6 | |||
| 7 | ```yaml |
||
| 8 | kind: SecurityContextConstraints |
||
| 9 | apiVersion: security.openshift.io/v1 |
||
| 10 | metadata: |
||
| 11 | annotations: |
||
| 12 | include.release.openshift.io/ibm-cloud-managed: "true" |
||
| 13 | include.release.openshift.io/self-managed-high-availability: "true" |
||
| 14 | include.release.openshift.io/single-node-developer: "true" |
||
| 15 | kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. |
||
| 16 | release.openshift.io/create-only: "true" |
||
| 17 | name: anyuid |
||
| 18 | allowHostDirVolumePlugin: false |
||
| 19 | allowHostIPC: false |
||
| 20 | allowHostNetwork: false |
||
| 21 | allowHostPID: false |
||
| 22 | allowHostPorts: false |
||
| 23 | allowPrivilegeEscalation: true |
||
| 24 | allowPrivilegedContainer: false |
||
| 25 | allowedCapabilities: null |
||
| 26 | defaultAddCapabilities: null |
||
| 27 | fsGroup: |
||
| 28 | type: RunAsAny |
||
| 29 | groups: |
||
| 30 | - system:cluster-admins |
||
| 31 | priority: 10 |
||
| 32 | readOnlyRootFilesystem: false |
||
| 33 | requiredDropCapabilities: |
||
| 34 | - MKNOD |
||
| 35 | runAsUser: |
||
| 36 | type: RunAsAny |
||
| 37 | seLinuxContext: |
||
| 38 | type: MustRunAs |
||
| 39 | supplementalGroups: |
||
| 40 | type: RunAsAny |
||
| 41 | users: [] |
||
| 42 | volumes: |
||
| 43 | - configMap |
||
| 44 | - downwardAPI |
||
| 45 | - emptyDir |
||
| 46 | - persistentVolumeClaim |
||
| 47 | - projected |
||
| 48 | ``` |
||
| 49 | |||
| 50 | Reference: <https://docs.okd.io/latest/authentication/managing-security-context-constraints.html> |
||
| 51 | |||
| 52 | The best and practicable way is to create a special namespace for this *evil* pods and restrict the access to this namespaces as wide as you can. |
||
| 53 | |||
| 54 | ## Set this with commandline tools |
||
| 55 | |||
| 56 | OK, we make a namespace `evilone-notsecure` |
||
| 57 | |||
| 58 | `oc new-project evilone-notsecure --description="Evil Project for root Containers (need anyuid)" --display-name="Evil One (anyuid!)"` |
||
| 59 | |||
| 60 | Then we set the SCC for the default Systemaccount in this project: |
||
| 61 | |||
| 62 | `oc adm oc policy add-scc-to-user -z default -n evilone-notsecure anyuid` |
||
| 63 | |||
| 64 | 4 | Peter Pfläging | ## Set this with an RoleBinding object (for GitOps people ;-)) |
| 65 | 3 | Peter Pfläging | |
| 66 | 4 | Peter Pfläging | The above command creates the following RoleBinding in the namespace: |
| 67 | 1 | Peter Pfläging | |
| 68 | ```yaml |
||
| 69 | apiVersion: rbac.authorization.k8s.io/v1 |
||
| 70 | kind: RoleBinding |
||
| 71 | metadata: |
||
| 72 | name: system:openshift:scc:anyuid |
||
| 73 | 4 | Peter Pfläging | namespace: evilone-notsecure |
| 74 | 1 | Peter Pfläging | roleRef: |
| 75 | apiGroup: rbac.authorization.k8s.io |
||
| 76 | kind: ClusterRole |
||
| 77 | name: system:openshift:scc:anyuid |
||
| 78 | subjects: |
||
| 79 | - kind: ServiceAccount |
||
| 80 | name: default |
||
| 81 | 4 | Peter Pfläging | namespace: evilone-notsecure |
| 82 | 1 | Peter Pfläging | ``` |
| 83 | |||
| 84 | 4 | Peter Pfläging | You can import this manually with `oc apply -f filename.yaml` |
| 85 | 5 | Peter Pfläging | |
| 86 | ## Verify anyuid rights in your cluster |
||
| 87 | |||
| 88 | You can search for the RoleBinding: |
||
| 89 | |||
| 90 | `oc get rolebindings -A | grep ClusterRole/system:openshift:scc:anyuid` |
||
| 91 | |||
| 92 | **Attention:** there might be a ClusterRoleRinding with additional namespaces or ServiceAccounts: |
||
| 93 | |||
| 94 | `oc get clusterrolebindings -A | grep ClusterRole/system:openshift:scc:anyuid` and then look at this object! |
pflaeging.net