You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/security-context-constraints-about.adoc
+12-5Lines changed: 12 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,8 @@ Similar to the way that RBAC resources control user access, administrators can u
10
10
11
11
Security context constraints allow an administrator to control:
12
12
13
-
* Whether a pod can run privileged containers
13
+
* Whether a pod can run privileged containers with the `allowPrivilegedContainer` flag.
14
+
* Whether a pod is constrained with the `allowPrivilegeEscalation` flag.
14
15
* The capabilities that a container can request
15
16
* The use of host directories as volumes
16
17
* The SELinux context of the container
@@ -55,7 +56,7 @@ ifndef::openshift-dedicated[]
55
56
56
57
[WARNING]
57
58
====
58
-
This SCC allows host access to namespaces, file systems, and PIDS. It should only be used by trusted pods. Grant with caution.
59
+
This SCC allows host access to namespaces, file systems, and PIDs. It should only be used by trusted pods. Grant with caution.
59
60
====
60
61
61
62
|`hostmount-anyuid`
@@ -110,12 +111,12 @@ The `privileged` SCC allows:
110
111
111
112
[NOTE]
112
113
====
113
-
Setting `privileged: true` in the pod specification does not select the `privileged` SCC. Setting `privileged: true` in the pod specification matches on the `allowPrivilegedContainer` field of an SCC.
114
+
Setting `privileged: true` in the pod specification does not necessarily select the `privileged` SCC. The SCC that has `allowPrivilegedContainer: true` and has the highest prioritization will be chosen if the user has the permissions to use it.
114
115
====
115
116
endif::[]
116
117
117
118
|`restricted`
118
-
|Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC and it is used by default for authenticated users.
119
+
|Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.
119
120
120
121
The `restricted` SCC:
121
122
@@ -125,6 +126,12 @@ The `restricted` SCC:
125
126
* Requires that a pod is run with a pre-allocated MCS label
126
127
* Allows pods to use any FSGroup
127
128
* Allows pods to use any supplemental group
129
+
130
+
[NOTE]
131
+
====
132
+
The restricted SCC is the most restrictive of the SCCs that ship by default with the system. However, you can create a custom SCC that is even more restrictive. For example, you can create an SCC that restricts `readOnlyRootFS` to `true` and `allowPrivilegeEscalation` to `false`.
133
+
====
134
+
128
135
|===
129
136
130
137
[id="scc-settings_{context}"]
@@ -171,7 +178,7 @@ The containers use the capabilities from this default list, but pod manifest aut
171
178
172
179
[NOTE]
173
180
====
174
-
You can drop all capabilites from containers by setting the `requiredDropCapabilities` parameter to `ALL`.
181
+
You can drop all capabilites from containers by setting the `requiredDropCapabilities` parameter to `ALL`.
0 commit comments