Merge pull request #30197 from bergerhoffer/BZ-1931838

BZ-1931838: Removing the ALL option and additional clarification

Author: bergerhoffer

modules/security-context-constraints-about.adoc

@@ -31,16 +31,6 @@ If you have `cluster-admin` privileges, you can adjust the default SCC policies
 be more permissive.
 ////
 
-Docker has a
-link:https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities[default list of capabilities]
-that are allowed for each container of a pod. The
-containers use the capabilities from this default list, but pod manifest authors
-can alter it by requesting additional capabilities or removing some of the
-default behaviors. Use the `allowedCapabilities`, `defaultAddCapabilities`, and
-`requiredDropCapabilities` parameters to control such requests from the
-pods and to dictate which capabilities can be requested, which ones must be
-added to each container, and which ones must be forbidden.
-
 The cluster contains eight default SCCs:
 
 * `anyuid`
@@ -123,6 +113,20 @@ values.
 
 |===
 
+CRI-O has the following default list of capabilities that are allowed for each container of a pod:
+
+* `CHOWN`
+* `DAC_OVERRIDE`
+* `FSETID`
+* `FOWNER`
+* `SETGID`
+* `SETUID`
+* `SETPCAP`
+* `NET_BIND_SERVICE`
+* `KILL`
+
+The containers use the capabilities from this default list, but pod manifest authors can alter it by requesting additional capabilities or removing some of the default behaviors. Use the `allowedCapabilities`, `defaultAddCapabilities`, and `requiredDropCapabilities` parameters to control such requests from the pods and to dictate which capabilities can be requested, which ones must be added to each container, and which ones must be forbidden.
+
 [id="authorization-SCC-strategies_{context}"]
 == SCC Strategies
 

modules/security-context-constraints-creating.adoc

@@ -5,16 +5,16 @@
 [id="security-context-constraints-creating_{context}"]
 = Creating security context constraints
 
-You can create security context constraints (SCCs) by using the CLI.
+You can create security context constraints (SCCs) by using the OpenShift CLI (`oc`).
 
 .Prerequisites
 
-* You must install the `oc` command line.
-* Your account must have `cluster-admin` privileges to create SCCs.
+* Install the OpenShift CLI (`oc`).
+* Log in to the cluster as a user with the `cluster-admin` role.
 
 .Procedure
 
-. Define the SCC in a JSON or YAML file:
+. Define the SCC in a YAML file named `scc_admin.yaml`:
 +
 .`SecurityContextConstraints` object definition
 [source,yaml]
@@ -38,9 +38,9 @@ groups:
 - my-admin-group
 ----
 +
-Optionally, you can add drop capabilities to an SCC by setting the
+Optionally, you can specify drop capabilities for an SCC by setting the
 `requiredDropCapabilities` field with the desired values. Any specified
-capabilities will be dropped from the container. For example, to create an SCC
+capabilities are dropped from the container. For example, to create an SCC
 with the `KILL`, `MKNOD`, and `SYS_CHROOT` required drop capabilities, add
 the following to the SCC object:
 +
@@ -52,17 +52,9 @@ requiredDropCapabilities:
 - SYS_CHROOT
 ----
 +
-You can see the list of possible values in the
-link:https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities[Docker
-documentation].
-+
-[TIP]
-====
-Because capabilities are passed to the Docker, you can use a special `ALL` value
-to drop all possible capabilities.
-====
+CRI-O supports the same list of capability values that are found in the link:https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities[Docker documentation].
 
-. Then, run `oc create` passing the file to create it:
+. Create the SCC by passing in the file:
 +
 [source,terminal]
 ----
@@ -75,7 +67,9 @@ $ oc create -f scc_admin.yaml
 securitycontextconstraints "scc-admin" created
 ----
 
-. Verify that the SCC was created:
+.Verification
+
+* Verify that the SCC was created:
 +
 [source,terminal]
 ----