Document URL: https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html#creating-new-security-context-constraints Section Number and Name: creating-new-security-context-constraints Describe the issue: Need steps on creating a custom SCC and configuring a pod to use the SCC created. Suggestions for improvement: Additional information: http://lists.openshift.redhat.com/openshift-archives/dev/2015-June/msg00040.html
I see that there is already a "create scc" section. I don't know yet if it is already "custom" or if it is "standard", or something in betweeen. In any case, i think it would be good to explicitly provide a section for each, leading with the most standard scc possible. The custom scc would then refer back to the standard scc, with callouts (perhaps) to highlight the differences and, more importantly, the *why* behind the customization choices made. The complete job should include xrefs to reference material for command "oc create" and for kind "SecurityContextConstraints" (currently in "Architecture" : "Additional Concepts" : "Authorization", i.e., authorization.adoc).
(In reply to Thien-Thi Nguyen from comment #3) > I see that there is already a "create scc" section. I don't know yet if it > is already "custom" or if it is "standard", or something in betweeen. In > any case, i think it would be good to explicitly provide a section for each, > leading with the most standard scc possible. The custom scc would then > refer back to the standard scc, with callouts (perhaps) to highlight the > differences and, more importantly, the *why* behind the customization > choices made. > > The complete job should include xrefs to reference material for command "oc > create" and for kind "SecurityContextConstraints" (currently in > "Architecture" : "Additional Concepts" : "Authorization", i.e., > authorization.adoc). Thanks Thien-Thi. That is a good plan. Please set a NEED_INFO for Ryan to get feedback.
@Ryan WDYT of this approach?
Hello, If we create a custom or new scc other than the default. How can we use this scc when creating a new project using image, template or code is what we are looking for. for eg: by default any project uses : openshift.io/scc: restricted But how this can be changed with the custom scc to create a new pod/deployment ? The section in documentation only documents how this is created not how it can be used ? Please let me know if you need any further information on this. Regards, Jaspreet
Example- oc get scc restricted -o json > restricted.json Give it a new name, change or add some parameters which you want eg- allowHostPorts to true oc create -f slightlylessrestricted.json
(In reply to Miheer Salunke from comment #7) Thanks for the example (which i have made public, btw, as there is no sensitive information there). I have synthesized these into a PR: https://github.com/openshift/openshift-docs/pull/970 WDYT?
(In reply to Jaspreet Kaur from comment #6) > The section in documentation only documents how this is created not how it > can be used ? I understand "how it can be used" as "what authorization policy decisions can be reflected via a particular SCC object". Is that a correct interpretation? If so, i believe that kind of material belongs best in the Architectural (Additional Concepts) section "Security Context Constraints"; improvements there probably warrant another (separate) BZ. If not, could you please review the PR linked in comment #8 and see if it is acceptable?
Couple issues on why I believe creating custom SCC is needed. 1. This section could better outline what all can be done within SCC to allow special containers to run with more capabilities. - More explanation on what can be set, where more information can be found, what effect can this have on over all security in the following. - runAsUser: - seLinuxContext: - allowedCapabilities: - Explanation on what can be added to a SCC like the following (Can we have a link to the [api](https://docs.openshift.com/enterprise/3.0/rest_api/openshift_v1.html#v1-securitycontext) also where does hostdirvalumeplugin come from ?): - allowHostDirVolumePlugin: -allowPrivilegedContainer 2. Constantly editing the 2 default SCC can effect the environment as a whole. Showing workflow on how to create custom SCC would help in the long run to reduce future issues. Example of why just editing one on these is not best practice, In this [section](https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html#provide-additional-capabilities) it says not to edit the default restricted SCC to enable additional capabilities. Yet above there are steps to edit the scc restricted to show how to enable images to run as users. 3. If adding a custom or default SCC to a DC or POD we need examples of how this is done. - In your project create the following service account: ~~~ # echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"My_SVCAP"}}' | oc create -n My_Project -f - ~~~ - Changing My_SVCA to a name of your choosing and My_Project to the project in which you are working in. https://docs.openshift.com/enterprise/3.0/dev_guide/service_accounts.html#managing-service-accounts - Then add the service account to SCC privileged. ~~~ # oc edit scc privileged Add the following under users: - system:serviceaccount:My_Project:My_SVCA ~~~ https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html#grant-access-to-the-privileged-scc Finally add the following to your DeploymentConfig instert serviceAccount and serviceAccountName under "spec" section. ~~~ # oc edit dc <dcname> serviceAccount: My_SVCA serviceAccountName: My_SVCA ~~~
BTW, latest renderings can always (until bug is closed) found in dir: http://file.brq.redhat.com/~tnguyen/tmp/bz1257346/
I've incorporated point 3 from comment #10, and explained it a bit in: https://github.com/openshift/openshift-docs/pull/970#issuecomment-145062411
(In reply to Jaspreet Kaur from comment #6) > If we create a custom or new scc other than the default. How can we use this > scc when creating a new project using image, template or code is what we are > looking for. > > for eg: by default any project uses : openshift.io/scc: restricted > > But how this can be changed with the custom scc to create a new > pod/deployment ? > > The section in documentation only documents how this is created not how it > can be used ? Oops, in reviewing this BZ prior to closing (PR 970 has been merged), i just noticed that i have not responded to you. Sorry for this oversight. Could you PTAL at the current text? Does it answer your questions? I will defer closing this BZ until you are satisfied. (We might need to do create another PR, but that's no problem.)
The PR was merged on 2015-10-07: https://github.com/openshift/openshift-docs/pull/970#event-429628649 so i'm moving status to CLOSED (CURRENTRELEASE) now.