How to add proper Security Context Constraint (SCC) to the application in the OCP
Environment
- Red Hat OpenShift Container Platform
- 4.12+
Issue
- After upgrading OCP version, the application cannot be executed because the Security Context Constraint (SCC) has been changed.
- How to add proper Security Context Constraint (SCC) to the application in the OCP?
Resolution
Use the oc tool to return the serviceAccount the application is using.
$ oc get statefulset <statefule_name> -oyaml|grep serviceAccount
serviceAccount: default
serviceAccountName: default
The oc adm policy scc-subject-review command can be used to return the Security Context Constraint the application wants to use.
$ oc get statefulset <statefule_name> -oyaml | oc adm policy scc-subject-review --filename -
RESOURCE ALLOWED BY
StatefulSet/<statefule_name> hostmount-anyuid
Bound the hostmount-anyuid Security Context Constraint (SCC) to serviceAccount.
$ oc adm policy add-scc-to-user hostmount-anyuid -z default
Root Cause
By default, if application is not associated with a specific Service Account that has been bound to a certain Security Context Constraint, the pod will have the restricted Security Context Constraint.
$ oc get po <pod_name> -oyaml|grep scc
openshift.io/scc: restricted
Diagnostic Steps
Use the oc tool to check the application that could not be executed.
$ oc get statefulset
NAME READY AGE
<statefule_name> 0/1 10m
$ oc get po
NAME READY STATUS RESTARTS AGE
<pod_name> 0/1 Pending 0 10m
$ oc get statefulset <statefule_name> -oyaml|grep serviceAccount
serviceAccount: default
serviceAccountName: default
$ omc get po <pod_name> -oyaml|grep scc
openshift.io/scc: restricted
$ oc get events
10m Warning FailedCreate statefulset/<statefule_name>
create Pod <pod-name> in StatefulSet <statefule_name> failed error: pods "<pod-name>" is forbidden: unable to validate against any security context constraint:
[provider "anyuid": Forbidden: not usable by user or serviceaccount,
provider "stackrox-admission-control": Forbidden: not usable by user or serviceaccount,
provider "stackrox-sensor": Forbidden: not usable by user or serviceaccount,
provider "stackrox-central": Forbidden: not usable by user or serviceaccount, spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used,
provider "nonroot-v2": Forbidden: not usable by user or serviceaccount,
provider "nonroot": Forbidden: not usable by user or serviceaccount,
provider "noobaa": Forbidden: not usable by user or serviceaccount,
provider "noobaa-endpoint": Forbidden: not usable by user or serviceaccount,
provider "stackrox-central-db": Forbidden: not usable by user or serviceaccount,
provider "stackrox-scanner": Forbidden: not usable by user or serviceaccount,
provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount,
provider "elasticsearch-scc": Forbidden: not usable by user or serviceaccount,
provider "log-collector-scc": Forbidden: not usable by user or serviceaccount,
provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount,
provider "hostnetwork": Forbidden: not usable by user or serviceaccount,
provider "hostaccess": Forbidden: not usable by user or serviceaccount,
provider "ocs-metrics-exporter": Forbidden: not usable by user or serviceaccount,
provider "stackrox-collector": Forbidden: not usable by user or serviceaccount,
provider "rook-ceph": Forbidden: not usable by user or serviceaccount,
provider "node-exporter": Forbidden: not usable by user or serviceaccount,
provider "rook-ceph-csi": Forbidden: not usable by user or serviceaccount,
provider "privileged": Forbidden: not usable by user or serviceaccount]
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments