Zyklus 6 - Historie - Using SCC anyuid in OKD-OpenShift - Kube-faq - Stickie~Box pflaeging.net

Using SCC anyuid in OKD-OpenShift » Historie » Zyklus 6

Peter Pfläging, 01.12.2021 09:50

-Peter Pfläging
+# Let root containers run in a specific namespace (OKD / OpenShift)
 It's not advised, but there are cases where you have to run Pods as root. There's a SecurityContextConstraint (SCC) in OpenShift handling this:
 `oc get scc anyuid -o yaml`
 ```yaml
 kind: SecurityContextConstraints
 apiVersion: security.openshift.io/v1
 metadata:
   annotations:
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     include.release.openshift.io/single-node-developer: "true"
     kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID.
     release.openshift.io/create-only: "true"
   name: anyuid
 allowHostDirVolumePlugin: false
 allowHostIPC: false
 allowHostNetwork: false
 allowHostPID: false
 allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: false
 allowedCapabilities: null
 defaultAddCapabilities: null
 fsGroup:
   type: RunAsAny
 groups:
 - system:cluster-admins
 priority: 10
 readOnlyRootFilesystem: false
 requiredDropCapabilities:
 - MKNOD
 runAsUser:
   type: RunAsAny
 seLinuxContext:
   type: MustRunAs
 supplementalGroups:
   type: RunAsAny
 users: []
 volumes:
 - configMap
 - downwardAPI
 - emptyDir
 - persistentVolumeClaim
 - projected
 ```
 Reference: <https://docs.okd.io/latest/authentication/managing-security-context-constraints.html>
 The best and practicable way is to create a special namespace for this *evil* pods and restrict the access to this namespaces as wide as you can.
 ## Set this with commandline tools
 OK, we make a namespace `evilone-notsecure`
 `oc new-project evilone-notsecure --description="Evil Project for root Containers (need anyuid)" --display-name="Evil One (anyuid!)"`
 Then we set the SCC for the default Systemaccount in this project:
-Peter Pfläging
+`oc adm policy add-scc-to-user -z default -n evilone-notsecure anyuid`
 Peter Pfläging
-Peter Pfläging
+## Set this with an RoleBinding object (for GitOps people ;-))
 Peter Pfläging
-Peter Pfläging
+The above command creates the following RoleBinding in the namespace:
 Peter Pfläging
 ```yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: system:openshift:scc:anyuid
-Peter Pfläging
+  namespace: evilone-notsecure
-Peter Pfläging
+roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: system:openshift:scc:anyuid
 subjects:
 - kind: ServiceAccount
   name: default
-Peter Pfläging
+  namespace: evilone-notsecure
-Peter Pfläging
+```
-Peter Pfläging
+You can import this manually with `oc apply -f filename.yaml`
 Peter Pfläging
 ## Verify anyuid rights in your cluster
 You can search for the RoleBinding:
 `oc get rolebindings -A | grep ClusterRole/system:openshift:scc:anyuid`
 **Attention:** there might be a ClusterRoleRinding with additional namespaces or ServiceAccounts:
 `oc get clusterrolebindings -A | grep ClusterRole/system:openshift:scc:anyuid` and then look at this object!

Box

Allgemein

Profil

Kube-faq

Using SCC anyuid in OKD-OpenShift » Historie » Zyklus 6