OpenShift Security Context Constraints: Difference between revisions
Line 44: | Line 44: | ||
{{External|https://blog.openshift.com/understanding-service-accounts-sccs/}} | {{External|https://blog.openshift.com/understanding-service-accounts-sccs/}} | ||
More: {{Internal|OpenShift_Security_Concepts#Service_Account|Service Accounts}} | |||
{{Internal|OpenShift_Security_Operations#Service_Accounts_and_SCCs|SCC Operations}} | {{Internal|OpenShift_Security_Operations#Service_Accounts_and_SCCs|SCC Operations}} |
Revision as of 23:13, 12 February 2018
External
- https://docs.openshift.com/container-platform/latest/architecture/additional_concepts/authorization.html#security-context-constraints
- https://docs.openshift.com/container-platform/latest/admin_guide/manage_scc.html
- https://docs.openshift.com/container-platform/latest/install_config/persistent_storage/pod_security_context.html
Internal
- OpenShift Security Concepts
- Docker Concepts - Privileged Container
- Security Context Constrains Operations
Overview
OpenShift uses Security Context Constraints (SCCs) to control the actions that a pod, and ultimately, a container, can perform and what resources it has the ability to access, security features, access to host features, etc.
A Security Context Constraint (SCC) is an OpenShift primitive that defines capability declarations used by the admission controller to validate pod-related requests. The capabilities are expressed as booleans, lists and strategies. The boolean fields default to the most restrictive values. Values of a list field are checked agains the set to ensure the value is allowed.
The SCC a Pod Runs Under
To find out what SCC a pod runs under, execute: oc get pod -o yaml <pod-name>. The SCC will be listed as the "openshift.io/scc" annotation:
apiVersion: v1 kind: Pod metadata: annotations: openshift.io/scc: restricted
Admission Controller
The admission controller validates requests by processing these requests relative to all applicable SCCs. The admission controller first identifies all applicable SCCs based on the user identity and groups the user belongs to. If the pod specifies a service account, the constraints accessible to the service account will be added to the applicable SCC set. It then sorts the SCCs by their priority field, highest priority SCCs being placed in front of the list. Nil is considered 0 priority. If the priorities are equal, the SCCs will be sorted from most restrictive to least restrictive. All else being equal, the SCCs will be sorted by name. The field values for the security context settings that were not specified on the request are generated. The final settings are validated against the available constraints. Each field of the security context must be validated against SCCs in order for a request to be successful.
More details about admission control:
Security Context Constraints and Users/Groups
Regular users and groups can be associated with specific SCCs via administrative operations:
Security Context Constraints and Service Accounts
More:
Strategy
A strategy implies a mechanism to generate the value and a mechanism to insure that a specified value falls into a set of allowable values.
RUNASUSER
Provides a user ID to run with and validates it.
Available options:
MustRunAs
Requires a “runAsUser” to be configured. Uses the configured “runAsUser” as the default. Validates against the configured “runAsUser”.
MustRunAsRange
MustRunAsNonRoot
RunAsAny
SELINUXCONTEXT
SUPPLEMENTALGROUPS
FSGROUP
Existing SCCs
The existing SCCs can be obtained with:
oc get scc
'privileged' SCC
'privileged' allows access to all privileged and host features and the ability to run as any user, any group, any FSGroup, and with any SELinux context. This is the most relaxed SCC and should be used only for cluster administration.
'restricted’ SCC
‘restricted’ denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC; this SCC is the default for authenticated users.
'anyuid' SCC
‘anyuid’ provides all features of the restricted SCC but allows users to run with any UID and any GID.
'hostaccess' SCC
'hostaccess’ allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace. This SCC allows host access to namespaces, file systems, and PIDS. It should only be used by trusted pods.
'hostmount-anyuid' SCC
SCC Fields
TODO move to Security Context Constraints Definition.
priority
groups
volumes
A list (ConfigMap, downwardAPI, emptyDir, persistentVolumeClaim, projected, secret).
allowPrivilegedContainer
true|false
allowHostDirVolumePlugin
true|false. Can the pod use host directories as volumes?
allowHostIPC
true|false
allowHostNetwork
true|false
allowHostPID
true|false
allowHostPorts
true|false
readOnlyRootFilesystem
true|false
allowedCapabilities
Defines the capabilities a container can request to be added.
defaultAddCapabilities
requiredDropCapabilities
A list (KILL, MKNOD, SYS_CHROOT, SETUID, SETGID).
fsGroup
A strategy (MustRunAs)
runAsUser
A strategy (MustRunAsRange). The strategy generates the uid.
seLinuxContext
Specifies the SELinux context of a container. It is a strategy (MustRunAs)
supplementalGroups
RunAsAny.