Merge pull request #30617 from bergerhoffer/OSDOCS-1898

bergerhoffer · web-flow · commit e8141fbc0c7b · 2021-09-08T10:47:43.000-04:00
OSDOCS-1898: Improving About SCC docs
diff --git a/modules/security-context-constraints-about.adoc b/modules/security-context-constraints-about.adoc
@@ -5,58 +5,86 @@
 [id="security-context-constraints-about_{context}"]
 = About security context constraints
 
-Similar to the way that RBAC resources control user access, administrators can
-use _security context constraints_ (SCCs) to control permissions for pods. These
-permissions include actions that a _pod_, a collection of containers, can
-perform and what resources it can access. You can use SCCs to define a set of
-conditions that a pod must run with to be accepted into the system.
-
-ifdef::openshift-origin,openshift-enterprise,openshift-dedicated[]
-SCCs allow an administrator to control:
-
-- Whether a pod can run privileged containers.
-- The capabilities that a container can request.
-- The use of host directories as volumes.
-- The SELinux context of the container.
-- The container user ID.
-- The use of host namespaces and networking.
-- The allocation of an `FSGroup` that owns the pod's volumes.
-- The configuration of allowable supplemental groups.
-- Whether a container requires the use of a read only root file system.
-- The usage of volume types.
-- The configuration of allowable `seccomp` profiles.
-
-////
-If you have `cluster-admin` privileges, you can adjust the default SCC policies to
-be more permissive.
-////
-
-The cluster contains nine default SCCs:
-
-* `anyuid`
-* `hostaccess`
-* `hostmount-anyuid`
-* `hostnetwork`
-+
-[WARNING]
-====
-If additional workloads are run on control plane hosts (also known as the master hosts), use caution when providing access to `hostnetwork`. A workload that runs `hostnetwork` on a control plane host is effectively root on the cluster and must be trusted accordingly.
-====
-* `node-exporter`
-* `nonroot`
-* `privileged`
-* `restricted`
-* `pipelines-scc`
+Similar to the way that RBAC resources control user access, administrators can use _security context constraints_ (SCCs) to control permissions for pods. These permissions include actions that a pod can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with to be accepted into the system.
+
+Security context constraints allow an administrator to control:
 
+* Whether a pod can run privileged containers
+* The capabilities that a container can request
+* The use of host directories as volumes
+* The SELinux context of the container
+* The container user ID
+* The use of host namespaces and networking
+* The allocation of an `FSGroup` that owns the pod volumes
+* The configuration of allowable supplemental groups
+* Whether a container requires write access to its root file system
+* The usage of volume types
+* The configuration of allowable `seccomp` profiles
+
+[id="default-sccs_{context}"]
+== Default security context constraints
+
+The cluster contains several default security context constraints (SCCs) as described in the table below. Additional SCCs might be installed when you install Operators or other components to {product-title}.
 
 [IMPORTANT]
 ====
 Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or {product-title} is upgraded. During upgrades between some versions of {product-title}, the values of the default SCCs are reset to the default values, which discards all customizations to those SCCs.
 ifdef::openshift-origin,openshift-enterprise,openshift-webscale[]
-Instead, create new SCCs.
+Instead, create new SCCs as needed.
 endif::[]
 ====
 
+.Default security context constraints
+[cols="1,3a",options="header"]
+|===
+|Security context constraint |Description
+
+|`anyuid`
+| Provides all features of the `restricted` SCC, but allows users to run with any UID and any GID.
+
+|`hostaccess`
+|Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
+
+[WARNING]
+====
+This SCC allows host access to namespaces, file systems, and PIDS. It should only be used by trusted pods. Grant with caution.
+====
+
+|`hostmount-anyuid`
+|Provides all the features of the `restricted` SCC, but allows host mounts and running as any UID and any GID on the system.
+
+[WARNING]
+====
+This SCC allows host file system access as any UID, including UID 0. Grant with caution.
+====
+
+|`hostnetwork`
+|Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.
+
+[WARNING]
+====
+If additional workloads are run on control plane hosts (also known as the master hosts), use caution when providing access to `hostnetwork`. A workload that runs `hostnetwork` on a control plane host is effectively root on the cluster and must be trusted accordingly.
+====
+
+|`node-exporter`
+|Used for the Prometheus node exporter.
+
+[WARNING]
+====
+This SCC allows host file system access as any UID, including UID 0. Grant with caution.
+====
+
+|`nonroot`
+|Provides all features of the `restricted` SCC, but allows users to run with any non-root UID. The user must specify the UID or it must be specified in the manifest of the container runtime.
+
+|`privileged`
+|Allows access to all privileged and host features and the ability to run as any user, any group, any FSGroup, and with any SELinux context.
+
+[WARNING]
+====
+This is the most relaxed SCC and should be used only for cluster administration. Grant with caution.
+====
+
 The `privileged` SCC allows:
 
 * Users to run privileged pods
@@ -70,25 +98,32 @@ The `privileged` SCC allows:
 * Pods to use any seccomp profiles
 * Pods to request any capabilities
 
-The `restricted` SCC:
-
-* Ensures that pods cannot run as privileged.
-* Ensures that pods cannot mount host directory volumes.
-* Requires that a pod run as a user in a pre-allocated range of UIDs.
-* Requires that a pod run with a pre-allocated MCS label.
-* Allows pods to use any FSGroup.
-* Allows pods to use any supplemental group.
-
 [NOTE]
 ====
-For more information about each SCC, see the `kubernetes.io/description`
-annotation available on the SCC.
+Setting `privileged: true` in the pod specification does not select the `privileged` SCC. Setting `privileged: true` in the pod specification matches on the `allowPrivilegedContainer` field of an SCC.
 ====
 
-SCCs are composed of settings and strategies that control the security features
+|`restricted`
+|Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace.  This is the most restrictive SCC and it is used by default for authenticated users.
+
+The `restricted` SCC:
+
+* Ensures that pods cannot run as privileged
+* Ensures that pods cannot mount host directory volumes
+* Requires that a pod is run as a user in a pre-allocated range of UIDs
+* Requires that a pod is run with a pre-allocated MCS label
+* Allows pods to use any FSGroup
+* Allows pods to use any supplemental group
+
+|===
+
+[id="scc-settings_{context}"]
+== Security context constraints settings
+
+Security context constraints (SCCs) are composed of settings and strategies that control the security features
 a pod has access to. These settings fall into three categories:
 
-[cols="1,4",options="header"]
+[cols="1,3",options="header"]
 |===
 
 |Category
@@ -126,42 +161,43 @@ CRI-O has the following default list of capabilities that are allowed for each c
 The containers use the capabilities from this default list, but pod manifest authors can alter it by requesting additional capabilities or removing some of the default behaviors. Use the `allowedCapabilities`, `defaultAddCapabilities`, and `requiredDropCapabilities` parameters to control such requests from the pods and to dictate which capabilities can be requested, which ones must be added to each container, and which ones must be forbidden.
 
 [id="authorization-SCC-strategies_{context}"]
-== SCC Strategies
+== Security context constraints strategies
 
 .RunAsUser
 
-. `MustRunAs` - Requires a `runAsUser` to be configured. Uses the configured
+* `MustRunAs` - Requires a `runAsUser` to be configured. Uses the configured
 `runAsUser` as the default. Validates against the configured `runAsUser`.
-. `MustRunAsRange` - Requires minimum and maximum values to be defined if not
+* `MustRunAsRange` - Requires minimum and maximum values to be defined if not
 using pre-allocated values. Uses the minimum as the default. Validates against
 the entire allowable range.
-. `MustRunAsNonRoot` - Requires that the pod be submitted with a non-zero
+* `MustRunAsNonRoot` - Requires that the pod be submitted with a non-zero
 `runAsUser` or have the `USER` directive defined in the image. No default
 provided.
-. `RunAsAny` - No default provided. Allows any `runAsUser` to be specified.
+* `RunAsAny` - No default provided. Allows any `runAsUser` to be specified.
 
 .SELinuxContext
 
-. `MustRunAs` - Requires `seLinuxOptions` to be configured if not using
+* `MustRunAs` - Requires `seLinuxOptions` to be configured if not using
 pre-allocated values. Uses `seLinuxOptions` as the default. Validates against
 `seLinuxOptions`.
-. `RunAsAny` - No default provided. Allows any `seLinuxOptions` to be
+* `RunAsAny` - No default provided. Allows any `seLinuxOptions` to be
 specified.
 
 .SupplementalGroups
 
-. `MustRunAs` - Requires at least one range to be specified if not using
+* `MustRunAs` - Requires at least one range to be specified if not using
 pre-allocated values. Uses the minimum value of the first range as the default.
 Validates against all ranges.
-. `RunAsAny` - No default provided. Allows any `supplementalGroups` to be
+* `RunAsAny` - No default provided. Allows any `supplementalGroups` to be
 specified.
 
 .FSGroup
 
-. `MustRunAs` - Requires at least one range to be specified if not using
+* `MustRunAs` - Requires at least one range to be specified if not using
 pre-allocated values. Uses the minimum value of the first range as the default.
 Validates against the first ID in the first range.
-. `RunAsAny` - No default provided. Allows any `fsGroup` ID to be specified.
+* `RunAsAny` - No default provided. Allows any `fsGroup` ID to be specified.
+
 
 [id="authorization-controlling-volumes_{context}"]
 == Controlling volumes
@@ -170,42 +206,42 @@ The usage of specific volume types can be controlled by setting the `volumes`
 field of the SCC. The allowable values of this field correspond to the volume
 sources that are defined when creating a volume:
 
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#azurefilevolume[`azureFile`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#azurediskvolume[`azureDisk`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#flocker[`flocker`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#flexvolume[`flexVolume`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[`hostPath`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#awselasticblockstore[`awsElasticBlockStore`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#azuredisk[`azureDisk`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#azurefile[`azureFile`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#cephfs[`cephFS`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#cinder[`cinder`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#configmap[`configMap`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#downwardapi[`downwardAPI`]
 * link:https://kubernetes.io/docs/concepts/storage/volumes/#emptydir[`emptyDir`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#fc[`fc`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#flexvolume[`flexVolume`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#flocker[`flocker`]
 * link:https://kubernetes.io/docs/concepts/storage/volumes/#gcepersistentdisk[`gcePersistentDisk`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#awselasticblockstore[`awsElasticBlockStore`]
 * link:https://kubernetes.io/docs/concepts/storage/volumes/#gitrepo[`gitRepo`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#secret[`secret`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#nfs[`nfs`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#iscsi[`iscsi`]
 * link:https://kubernetes.io/docs/concepts/storage/volumes/#glusterfs[`glusterfs`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#hostpath[`hostPath`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#iscsi[`iscsi`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#nfs[`nfs`]
 * link:https://kubernetes.io/docs/concepts/storage/volumes/#persistentvolumeclaim[`persistentVolumeClaim`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#rbd[`rbd`]
-* `cinder`
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#cephfs[`cephFS`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#downwardapi[`downwardAPI`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#fc-fibre-channel[`fc`]
-* `configMap`
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#vspherevolume[`vsphereVolume`]
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#quobyte[`quobyte`]
 * `photonPersistentDisk`
-* link:https://kubernetes.io/docs/concepts/storage/volumes/#projected[`projected`]
 * link:https://kubernetes.io/docs/concepts/storage/volumes/#portworxvolume[`portworxVolume`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#projected[`projected`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#quobyte[`quobyte`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#rbd[`rbd`]
 * link:https://kubernetes.io/docs/concepts/storage/volumes/#scaleio[`scaleIO`]
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#secret[`secret`]
 * link:https://kubernetes.io/docs/concepts/storage/volumes/#storageos[`storageos`]
-* *** (a special value to allow the use of all volume types)
-* `none` (a special value to disallow the use of all volumes types. Exist only for backwards compatibility)
+* link:https://kubernetes.io/docs/concepts/storage/volumes/#vspherevolume[`vsphereVolume`]
+* *** (A special value to allow the use of all volume types.)
+* `none` (A special value to disallow the use of all volumes types. Exists only for backwards compatibility.)
 
 The recommended minimum set of allowed volumes for new SCCs are `configMap`,
 `downwardAPI`, `emptyDir`, `persistentVolumeClaim`, `secret`, and `projected`.
 
 [NOTE]
 ====
-The list of allowable volume types is not exhaustive because new types are
+This list of allowable volume types is not exhaustive because new types are
 added with each release of {product-title}.
 ====
 
@@ -219,7 +255,7 @@ value will be removed from `volumes`.
 
 
 [id="admission_{context}"]
-== Admission
+== Admission control
 _Admission control_ with SCCs allows for control over the creation of resources
 based on the capabilities granted to a user.
 
@@ -249,10 +285,10 @@ just two of the fields that must be validated:
 
 [NOTE]
 ====
-These examples are in the context of a strategy using the preallocated values.
+These examples are in the context of a strategy using the pre-allocated values.
 ====
 
-*A FSGroup SCC strategy of `MustRunAs`*
+*An FSGroup SCC strategy of `MustRunAs`*
 
 If the pod defines a `fsGroup` ID, then that ID must equal the default
 `fsGroup` ID. Otherwise, the pod is not validated by that SCC and the next SCC
@@ -278,9 +314,9 @@ validation, other SCC settings will reject other pod fields and thus cause the
 pod to fail.
 
 [id="scc-prioritization_{context}"]
-== SCC prioritization
+== Security context constraints prioritization
 
-SCCs have a priority field that affects the ordering when attempting to
+Security context constraints (SCCs) have a priority field that affects the ordering when attempting to
 validate a request by the admission controller. A higher priority
 SCC is moved to the front of the set when sorting. When the complete set
 of available SCCs are determined they are ordered by:
diff --git a/modules/security-context-constraints-command-reference.adoc b/modules/security-context-constraints-command-reference.adoc
@@ -3,20 +3,16 @@
 // * authentication/managing-security-context-constraints.adoc
 
 [id="security-context-constraints-command-reference_{context}"]
-= Security context constraints reference commands
+= Reference of security context constraints commands
 
-You can manage SCCs in your instance as normal API objects using the CLI.
+You can manage security context constraints (SCCs) in your instance as normal API objects using the OpenShift CLI (`oc`).
 
 ifdef::openshift-enterprise,openshift-webscale,openshift-origin[]
 [NOTE]
 ====
 You must have `cluster-admin` privileges to manage SCCs.
 ====
 
-[IMPORTANT]
-====
-Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or {product-title} is upgraded. During upgrades between some versions of {product-title}, the values of the default SCCs are reset to the default values, which discards all customizations to those SCCs.
-====
 endif::openshift-enterprise,openshift-webscale,openshift-origin[]
 
 ifdef::openshift-dedicated[]
@@ -26,7 +22,7 @@ endif::openshift-dedicated[]
 
 
 [id="listing-security-context-constraints_{context}"]
-== Listing SCCs
+== Listing security context constraints
 
 To get a current list of SCCs:
 
@@ -50,7 +46,7 @@ restricted         false   []     MustRunAs   MustRunAsRange     MustRunAs   Run
 ----
 
 [id="examining-a-security-context-constraints-object_{context}"]
-== Examining an SCC
+== Examining security context constraints
 
 You can view information about a particular SCC, including which users, service accounts, and groups the SCC is applied to.
 
@@ -107,7 +103,7 @@ the default SCCs.
 ====
 
 [id="deleting-security-context-constraints_{context}"]
-== Deleting an SCC
+== Deleting security context constraints
 
 To delete an SCC:
 
@@ -123,7 +119,7 @@ If you delete a default SCC, it will regenerate when you restart the cluster.
 
 [id="updating-security-context-constraints_{context}"]
 
-== Updating an SCC
+== Updating security context constraints
 
 To update an existing SCC:
 
