The pod is not applying the expected security context constrains(SCC) policy

Solution Verified - Updated -

Environment

  • OpenShift Container Platform (OCP) 3.11

Issue

  • The pod is not applying the custom SCC policy even if it has been bound to the service account configured in the pod manifest file.

Resolution

  • As a cluster admin, create the custom SCC policy from the default SCC policy determined by the user identity and groups that user belongs to.
    Example:
    • for cluster-admins users: anyuid scc policy is used by default
    • for project's admins users: restricted scc policy is used by default

  1. As cluster admin, create the custom scc manifiest for the service account. Assume that pod will be created by project admin user.

    oc get scc restricted -o yaml > user1-restricted.yaml

  2. Edit the SCC manifest file created before to adjust the name and the capabilities required.

  3. Create the custom SCC policy

     $ oc create -f user1-restricted.yaml 
   securitycontextconstraints.security.openshift.io/user1-restricted created

  • Then bind the custom SCC policy to the service account that will be use in the manifest file.

    $ oc adm policy add-scc-to-user user1-restricted -z user1sa -n user1ns
scc "user1-restricted" added to: ["system:serviceaccount:user1ns:user1sa"]

  • Avoid using a service account that is already bound to other custom SCC policy because it could create unwanted configuration.

Root Cause

  • The admission controller inspect the user information to retrieve the appropriate SCC policy to apply then additionally, if the pod specifies a service account, the admission controller will evaluate the allowable SCC policies for the service account and will apply the most restrictive to the pod.

Diagnostic Steps

  • Details about the project used for the diagnostic purpose:

    Project: "user1ns"
    Project Admin: "developer"
    Service Account: "user1sa"
    SCC Policy: "user1-restricted" created based on the restricted scc policy

  • Verify that your service account is not bound to other SCC policy

    $ oc get scc -o=custom-columns="SCC:.metadata.name,USER:.users" | grep -E "SCC|user1sa"
SCC                  USER
user1-restricted     [system:serviceaccount:user1ns:user1sa]

  • Verify the user account role used for the pod creation as it will determine the SCC policy to apply, in the example the pod "redis-clusteradmin" was created by a user with cluster-admin privileges so it's not applying the correct SCC policy.

    $ oc get pods -o=custom-columns="NAME:.metadata.name,SA:.spec.serviceAccount,SCC:.metadata.annotations"
NAME                 SA        SCC
redis-admin          user1sa   map[openshift.io/scc:user1-restricted]
redis-clusteradmin   user1sa   map[openshift.io/scc:anyuid]

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments