OpenShift Security Context Constraints: Difference between revisions
Jump to navigation
Jump to search
| Line 13: | Line 13: | ||
=Overview= | =Overview= | ||
OpenShift uses Security Context Constraints (SCCs) to control the actions that a pod, and ultimately, a container, can perform and what it has the ability to access. | OpenShift uses Security Context Constraints (SCCs) to control the actions that a pod, and ultimately, a container, can perform and what resources it has the ability to access, security features, access to host features, etc. | ||
A ''Security Context Constraint (SCC)'' is an OpenShift primitive that defines capability declarations used by the [[#Access_Controller|access controller]] to validate pod-related requests. The capabilities are expressed as booleans, lists and [[#Strategy|strategies]]. The boolean fields default to the most restrictive values. Values of a list field are checked agains the set to ensure the value is allowed. | |||
=Strategy= | |||
A ''strategy'' implies a mechanism to generate the value and a mechanism to insure that a specified value falls into a set of allowable values. | |||
=Access Controller= | |||
Revision as of 19:38, 23 January 2018
External
- https://docs.openshift.com/container-platform/latest/architecture/additional_concepts/authorization.html#security-context-constraints
- https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html
- https://docs.openshift.com/container-platform/latest/install_config/persistent_storage/pod_security_context.html
Internal
- OpenShift Security Concepts
- Docker Concepts - Privileged Container
- Security Context Constrains Operations
Overview
OpenShift uses Security Context Constraints (SCCs) to control the actions that a pod, and ultimately, a container, can perform and what resources it has the ability to access, security features, access to host features, etc.
A Security Context Constraint (SCC) is an OpenShift primitive that defines capability declarations used by the access controller to validate pod-related requests. The capabilities are expressed as booleans, lists and strategies. The boolean fields default to the most restrictive values. Values of a list field are checked agains the set to ensure the value is allowed.
Strategy
A strategy implies a mechanism to generate the value and a mechanism to insure that a specified value falls into a set of allowable values.