Merge pull request #1847 from haircommander/userns-scc

openshift-merge-bot[bot] · web-flow · commit 7f23c5de7fcb · 2025-08-04T17:18:08.000Z
OCPNODE-2559: SCC: add nested-podman and restricted-v3
diff --git a/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_cr-scc-nested-container.yaml b/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_cr-scc-nested-container.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: system:openshift:scc:nested-container
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - nested-container
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_cr-scc-restricted-v3.yaml b/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_cr-scc-restricted-v3.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: system:openshift:scc:restricted-v3
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - restricted-v3
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
diff --git a/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nested-container.yaml b/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-nested-container.yaml
@@ -0,0 +1,61 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities:
+- SETUID
+- SETGID
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities:
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 0
+    max: 65534
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    kubernetes.io/description: 'nested-container is specially tailored for running nested containers.
+    It balances a tight security profile, while remaining loose enough to be useful to run nested containers in.
+    In addition to requiring pods run with a user namespace, it allows SETUID and SETGID capabilities, requires the "container_engine_t" SELinux type,
+    allows any users within the range of 0-65534, allows privilege escalation (to allow a container engine to run new{uid/gid}map), and allows any seccomp profile.
+    Since any pods running within this SCC must use a user namespace ("hostUsers: false"), their actual UID/GID on the host will be
+    allocated by the kubelet to be unprivileged, and any capabilities the pod is granted will not apply outside of the pods user namespace.'
+  name: nested-container
+priority:
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+runAsUser:
+  type: MustRunAsRange
+  ranges:
+  - min: 0
+    max: 65534
+seLinuxContext:
+  type: MustRunAs
+  seLinuxOptions:
+    type: container_engine_t
+seccompProfiles:
+- "*"
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 0
+    max: 65534
+users: []
+userNamespaceLevel: RequirePodLevel
+volumes:
+- configMap
+- csi
+- downwardAPI
+- emptyDir
+- ephemeral
+- persistentVolumeClaim
+- projected
+- secret
diff --git a/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v3.yaml b/bindata/bootkube/scc-manifests/0000_20_kube-apiserver-operator_00_scc-restricted-v3.yaml
@@ -0,0 +1,62 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+- NET_BIND_SERVICE
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities:
+fsGroup:
+  type: MustRunAs
+  ranges:
+  - min: 1000
+    max: 65534
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+    kubernetes.io/description: restricted-v3 denies access to all host features and requires
+      pods to be run with user namespace (and may not be root within that user namespace),
+      and SELinux context that are allocated to the namespace. This is the most restrictive SCC.
+      On top of the legacy 'restricted' SCC, it also requires to drop ALL capabilities
+      and does not allow privilege escalation binaries. It will also default the seccomp
+      profile to runtime/default if unset, otherwise this seccomp profile is required.
+      On top of the legacy 'restricted-v2' SCC, it requires a pod runs in a user namespace.
+      Because of this, the pod to be any non-root UID within the user namespace (between 1000-65534), and
+      it will still be unprivileged outside of the user namespace.
+  name: restricted-v3
+priority:
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- ALL
+runAsUser:
+  type: MustRunAsRange
+  ranges:
+  - min: 1000
+    max: 65534
+seLinuxContext:
+  type: MustRunAs
+seccompProfiles:
+- runtime/default
+supplementalGroups:
+  type: MustRunAs
+  ranges:
+  - min: 1000
+    max: 65534
+users: []
+userNamespaceLevel: RequirePodLevel
+volumes:
+- configMap
+- csi
+- downwardAPI
+- emptyDir
+- ephemeral
+- persistentVolumeClaim
+- projected
+- secret
