Bug 1315850

Summary: [DOCS] Running containers/pods with Security Context to run as UID
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: DocumentationAssignee: Ashley Hardin <ahardin>
Status: CLOSED CURRENTRELEASE QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: low    
Version: 3.1.0CC: aos-bugs, jokerman, mmccomas, pweil
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-09 16:23:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ryan Howe 2016-03-08 18:56:26 UTC
Document URL: https://docs.openshift.com/enterprise/3.1/admin_guide/manage_scc.html

Describe the issue: 

- We need information on how setting SecurityContext in a pod or container works with the SCC that the pod is running with. 

- Information is needed on use cases for setting the SecurityContext in a pod or container. For example how to run a container with a given UID or SELinux options via a Deployment config or build config.   
  - How does the SCC effect this 
  - How does the project/namespace effect this with the annotations [openshift.io/sa.scc.uid-range: 1000120000/10000}

Suggestions for improvement: 
 - Usecase needed

Additional information: 

   -Pod API info
    https://docs.openshift.com/enterprise/3.1/rest_api/kubernetes_v1.html#v1-pod
      https://docs.openshift.com/enterprise/3.1/rest_api/kubernetes_v1.html#v1-podspec
        https://docs.openshift.com/enterprise/3.1/rest_api/openshift_v1.html#v1-securitycontext
    
  -Container API info 
  https://docs.openshift.com/enterprise/3.1/rest_api/kubernetes_v1.html#v1-container
   https://docs.openshift.com/enterprise/3.1/rest_api/kubernetes_v1.html#v1-securitycontext

Kube Docs:
- https://github.com/kubernetes/kubernetes/blob/master/docs/design/security_context.md
- https://github.com/kubernetes/kubernetes/blob/master/docs/proposals/pod-security-context.md

Comment 3 Ashley Hardin 2018-01-17 18:52:56 UTC
Work in progress: https://github.com/openshift/openshift-docs/pull/7210

Comment 4 Ashley Hardin 2018-01-18 00:14:33 UTC
I discussed this with Paul and Slava. This bug was filed a while ago against 3.1 docs and it seems like our docs have come a long way since then to address most of the original issue, namely within these topics:

https://docs.openshift.org/latest/install_config/persistent_storage/pod_security_context.html

https://docs.openshift.org/latest/architecture/additional_concepts/authorization.html#security-context-constraints

I do not see `oc explain` recommended anywhere, so I opened this PR to include that.
https://github.com/openshift/openshift-docs/pull/7210

Comment 5 Chuan Yu 2018-01-18 09:32:21 UTC
The changes looks good and verified with OCP3.1

openshift v3.1.1.11-9-g44fe9ba
kubernetes v1.1.0-origin-1107-g4c8e6f4
etcd 2.1.2

Comment 6 openshift-github-bot 2018-03-06 19:01:06 UTC
Commits pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/64e3edbb5a57b4a093fc1b36fa8b087e9592bc68
Bug 1315850, added supplemental information about SCC

https://github.com/openshift/openshift-docs/commit/a3fa586374f15f7d18224f9f240da4b6d7d0a008
Merge pull request #7210 from ahardin-rh/scc-improvements

Bug 1315850, added supplemental information about SCC