Login
Log in using an SSO provider:
Fedora Account System
Red Hat Associate
Red Hat Customer
Login using a Red Hat Bugzilla account
Forgot Password
Create an Account
Red Hat Bugzilla – Attachment 1679747 Details for
Bug 1821905
Cannot upgrade from 4.3.8 -> 4.3.9 due to "DefaultSecurityContextConstraints_Mutated"
Home
New
Search
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh92 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
[?]
This site requires JavaScript to be enabled to function correctly, please enable it.
Default SCC Objects
default-scc-original-new.yaml (text/plain), 7.17 KB, created by
Abu Kashem
on 2020-04-17 19:39:38 UTC
(
hide
)
Description:
Default SCC Objects
Filename:
MIME Type:
Creator:
Abu Kashem
Created:
2020-04-17 19:39:38 UTC
Size:
7.17 KB
patch
obsolete
>apiVersion: v1 >kind: List >items: >- allowHostDirVolumePlugin: false > allowHostIPC: false > allowHostNetwork: false > allowHostPID: false > allowHostPorts: false > allowPrivilegeEscalation: true > allowPrivilegedContainer: false > allowedCapabilities: > apiVersion: security.openshift.io/v1 > defaultAddCapabilities: > fsGroup: > type: RunAsAny > groups: > - system:cluster-admins > kind: SecurityContextConstraints > metadata: > annotations: > kubernetes.io/description: anyuid provides all features of the restricted SCC > but allows users to run with any UID and any GID. > name: anyuid > priority: 10 > readOnlyRootFilesystem: false > requiredDropCapabilities: > - MKNOD > runAsUser: > type: RunAsAny > seLinuxContext: > type: MustRunAs > supplementalGroups: > type: RunAsAny > users: [] > volumes: > - configMap > - downwardAPI > - emptyDir > - persistentVolumeClaim > - projected > - secret >- allowHostDirVolumePlugin: true > allowHostIPC: true > allowHostNetwork: true > allowHostPID: true > allowHostPorts: true > allowPrivilegeEscalation: true > allowPrivilegedContainer: false > allowedCapabilities: > apiVersion: security.openshift.io/v1 > defaultAddCapabilities: > fsGroup: > type: MustRunAs > groups: [] > kind: SecurityContextConstraints > metadata: > annotations: > kubernetes.io/description: 'hostaccess allows access to all host namespaces but > still requires pods to be run with a UID and SELinux context that are allocated > to the namespace. WARNING: this SCC allows host access to namespaces, file systems, > and PIDS. It should only be used by trusted pods. Grant with caution.' > name: hostaccess > priority: > readOnlyRootFilesystem: false > requiredDropCapabilities: > - KILL > - MKNOD > - SETUID > - SETGID > runAsUser: > type: MustRunAsRange > seLinuxContext: > type: MustRunAs > supplementalGroups: > type: RunAsAny > users: [] > volumes: > - configMap > - downwardAPI > - emptyDir > - hostPath > - persistentVolumeClaim > - projected > - secret >- allowHostDirVolumePlugin: true > allowHostIPC: false > allowHostNetwork: false > allowHostPID: false > allowHostPorts: false > allowPrivilegeEscalation: true > allowPrivilegedContainer: false > allowedCapabilities: > apiVersion: security.openshift.io/v1 > defaultAddCapabilities: > fsGroup: > type: RunAsAny > groups: [] > kind: SecurityContextConstraints > metadata: > annotations: > kubernetes.io/description: 'hostmount-anyuid provides all the features of the > restricted SCC but allows host mounts and any UID by a pod. This is primarily > used by the persistent volume recycler. WARNING: this SCC allows host file > system access as any UID, including UID 0. Grant with caution.' > name: hostmount-anyuid > priority: > readOnlyRootFilesystem: false > requiredDropCapabilities: > - MKNOD > runAsUser: > type: RunAsAny > seLinuxContext: > type: MustRunAs > supplementalGroups: > type: RunAsAny > users: > - system:serviceaccount:openshift-infra:pv-recycler-controller > volumes: > - configMap > - downwardAPI > - emptyDir > - hostPath > - nfs > - persistentVolumeClaim > - projected > - secret >- allowHostDirVolumePlugin: false > allowHostIPC: false > allowHostNetwork: true > allowHostPID: false > allowHostPorts: true > allowPrivilegeEscalation: true > allowPrivilegedContainer: false > allowedCapabilities: > apiVersion: security.openshift.io/v1 > defaultAddCapabilities: > fsGroup: > type: MustRunAs > groups: [] > kind: SecurityContextConstraints > metadata: > annotations: > kubernetes.io/description: hostnetwork allows using host networking and host ports > but still requires pods to be run with a UID and SELinux context that are allocated > to the namespace. > name: hostnetwork > priority: > readOnlyRootFilesystem: false > requiredDropCapabilities: > - KILL > - MKNOD > - SETUID > - SETGID > runAsUser: > type: MustRunAsRange > seLinuxContext: > type: MustRunAs > supplementalGroups: > type: MustRunAs > users: [] > volumes: > - configMap > - downwardAPI > - emptyDir > - persistentVolumeClaim > - projected > - secret >- allowHostDirVolumePlugin: false > allowHostIPC: false > allowHostNetwork: false > allowHostPID: false > allowHostPorts: false > allowPrivilegeEscalation: true > allowPrivilegedContainer: false > allowedCapabilities: > apiVersion: security.openshift.io/v1 > defaultAddCapabilities: > fsGroup: > type: RunAsAny > groups: [] > kind: SecurityContextConstraints > metadata: > annotations: > kubernetes.io/description: nonroot provides all features of the restricted SCC > but allows users to run with any non-root UID. The user must specify the UID > or it must be specified on the by the manifest of the container runtime. > name: nonroot > priority: > readOnlyRootFilesystem: false > requiredDropCapabilities: > - KILL > - MKNOD > - SETUID > - SETGID > runAsUser: > type: MustRunAsNonRoot > seLinuxContext: > type: MustRunAs > supplementalGroups: > type: RunAsAny > users: [] > volumes: > - configMap > - downwardAPI > - emptyDir > - persistentVolumeClaim > - projected > - secret >- allowHostDirVolumePlugin: true > allowHostIPC: true > allowHostNetwork: true > allowHostPID: true > allowHostPorts: true > allowPrivilegeEscalation: true > allowPrivilegedContainer: true > allowedCapabilities: > - "*" > allowedUnsafeSysctls: > - "*" > apiVersion: security.openshift.io/v1 > defaultAddCapabilities: > fsGroup: > type: RunAsAny > groups: > - system:cluster-admins > - system:nodes > - system:masters > kind: SecurityContextConstraints > metadata: > annotations: > kubernetes.io/description: 'privileged allows access to all privileged and host > features and the ability to run as any user, any group, any fsGroup, and with > any SELinux context. WARNING: this is the most relaxed SCC and should be used > only for cluster administration. Grant with caution.' > name: privileged > priority: > readOnlyRootFilesystem: false > requiredDropCapabilities: > runAsUser: > type: RunAsAny > seLinuxContext: > type: RunAsAny > seccompProfiles: > - "*" > supplementalGroups: > type: RunAsAny > users: > - system:admin > - system:serviceaccount:openshift-infra:build-controller > volumes: > - "*" >- allowHostDirVolumePlugin: false > allowHostIPC: false > allowHostNetwork: false > allowHostPID: false > allowHostPorts: false > allowPrivilegeEscalation: true > allowPrivilegedContainer: false > allowedCapabilities: > apiVersion: security.openshift.io/v1 > defaultAddCapabilities: > fsGroup: > type: MustRunAs > groups: > - system:authenticated > kind: SecurityContextConstraints > metadata: > annotations: > kubernetes.io/description: restricted denies access to all host features and requires > pods to be run with a UID, and SELinux context that are allocated to the namespace. This > is the most restrictive SCC and it is used by default for authenticated users. > name: restricted > priority: > readOnlyRootFilesystem: false > requiredDropCapabilities: > - KILL > - MKNOD > - SETUID > - SETGID > runAsUser: > type: MustRunAsRange > seLinuxContext: > type: MustRunAs > supplementalGroups: > type: RunAsAny > users: [] > volumes: > - configMap > - downwardAPI > - emptyDir > - persistentVolumeClaim > - projected > - secret
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=1679747">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 1821905
: 1679747