How to allow project admins to use Security Context Constraints

Solution Verified - Updated -

Issue

  • Project admins cannot use Security Context Constraints (SCCs) by default.
  • A project admin user cannot use SCCs despite having a role which allows them to use SCCs.
  • The following error is displayed when the user attempts to assign an SCC:
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "system:openshift:scc:anyuid" is forbidden: user "user1" (groups=["system:authenticated:oauth" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["security.openshift.io"], Resources:["securitycontextconstraints"], ResourceNames:["anyuid"], Verbs:["use"]}; resolution errors: [clusterroles.rbac.authorization.k8s.io "anyuid-scc" not found]
  • This works if a cluster role is assigned to the same user instead of a role.

Environment

  • OpenShift Container Platform 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content