Bug 1257346 - Creating a Custom SCC and configuring a pod to run with this SCC
Creating a Custom SCC and configuring a pod to run with this SCC
Status: CLOSED NEXTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
3.0.0
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Thien-Thi Nguyen
Vikram Goyal
Vikram Goyal
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-26 17:01 EDT by Ryan Howe
Modified: 2016-08-04 21:27 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-14 14:04:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ryan Howe 2015-08-26 17:01:33 EDT
Document URL: https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html#creating-new-security-context-constraints


Section Number and Name: creating-new-security-context-constraints


Describe the issue: Need steps on creating a custom SCC and configuring a pod to use the SCC created.

Suggestions for improvement: 

Additional information: 
http://lists.openshift.redhat.com/openshift-archives/dev/2015-June/msg00040.html
Comment 3 Thien-Thi Nguyen 2015-08-31 12:54:10 EDT
I see that there is already a "create scc" section.  I don't know yet if it is already "custom" or if it is "standard", or something in betweeen.  In any case, i think it would be good to explicitly provide a section for each, leading with the most standard scc possible.  The custom scc would then refer back to the standard scc, with callouts (perhaps) to highlight the differences and, more importantly, the *why* behind the customization choices made.

The complete job should include xrefs to reference material for command "oc create" and for kind "SecurityContextConstraints" (currently in "Architecture" : "Additional Concepts" : "Authorization", i.e., authorization.adoc).
Comment 4 Vikram Goyal 2015-09-01 02:56:50 EDT
(In reply to Thien-Thi Nguyen from comment #3)
> I see that there is already a "create scc" section.  I don't know yet if it
> is already "custom" or if it is "standard", or something in betweeen.  In
> any case, i think it would be good to explicitly provide a section for each,
> leading with the most standard scc possible.  The custom scc would then
> refer back to the standard scc, with callouts (perhaps) to highlight the
> differences and, more importantly, the *why* behind the customization
> choices made.
> 
> The complete job should include xrefs to reference material for command "oc
> create" and for kind "SecurityContextConstraints" (currently in
> "Architecture" : "Additional Concepts" : "Authorization", i.e.,
> authorization.adoc).

Thanks Thien-Thi. That is a good plan. Please set a NEED_INFO for Ryan to get feedback.
Comment 5 Thien-Thi Nguyen 2015-09-08 18:56:19 EDT
@Ryan WDYT of this approach?
Comment 6 Jaspreet Kaur 2015-09-09 01:46:16 EDT
Hello,

If we create a custom or new scc other than the default. How can we use this scc when creating a new project using image, template or code is what we are looking for.

for eg: by default any project uses :  openshift.io/scc: restricted

But how this can be changed with the custom scc to create a new pod/deployment ?

The section in documentation only documents how this is created not how it can be used ?

Please let me know if you need any further information on this. 

Regards,
Jaspreet
Comment 7 Miheer Salunke 2015-09-09 05:25:52 EDT
Example-  
 oc get scc restricted -o json > restricted.json

 Give it a new name, change or add some parameters which you want eg- allowHostPorts to true

 oc create -f slightlylessrestricted.json
Comment 8 Thien-Thi Nguyen 2015-09-17 10:29:53 EDT
(In reply to Miheer Salunke from comment #7)

Thanks for the example (which i have made public, btw, as there is no sensitive
information there).  I have synthesized these into a PR:

 https://github.com/openshift/openshift-docs/pull/970

WDYT?
Comment 9 Thien-Thi Nguyen 2015-09-17 10:58:44 EDT
(In reply to Jaspreet Kaur from comment #6)

> The section in documentation only documents how this is created not how it
> can be used ?

I understand "how it can be used" as "what authorization policy decisions can be reflected via a particular SCC object".  Is that a correct interpretation?

If so, i believe that kind of material belongs best in the Architectural (Additional Concepts) section "Security Context Constraints"; improvements there probably warrant another (separate) BZ.

If not, could you please review the PR linked in comment #8 and see if it is acceptable?
Comment 10 Ryan Howe 2015-09-17 13:02:09 EDT
Couple issues on why I believe creating custom SCC is needed. 

1.  This section could better outline what all can be done within SCC to allow special containers to run with more capabilities. 
           - More explanation on what can be set, where more information can be found, what effect can this have on over all security in the following.
                                - runAsUser:
                                - seLinuxContext:
                                - allowedCapabilities:    
            - Explanation on what can be added to a SCC like the following (Can we have a link to the [api](https://docs.openshift.com/enterprise/3.0/rest_api/openshift_v1.html#v1-securitycontext) also where does hostdirvalumeplugin come from ?):
                               - allowHostDirVolumePlugin:
                                -allowPrivilegedContainer

2. Constantly editing the 2 default SCC can effect the environment as a whole. Showing workflow on how to create custom SCC would help in the long run to reduce future issues. 

Example of why just editing one on these is not best practice, 
In this [section](https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html#provide-additional-capabilities) it says not to edit the default restricted SCC to enable additional capabilities.  Yet above there are steps to edit the scc restricted to show how to enable images to run as users. 

3. If adding a custom or default SCC to a DC or POD we need examples of how this is done. 

- In your project create the following service account:
~~~
    # echo '{"kind":"ServiceAccount","apiVersion":"v1","metadata":{"name":"My_SVCAP"}}' | oc create -n My_Project -f -
~~~
- Changing My_SVCA to a name of your choosing and My_Project to the project in which you are working in. 

https://docs.openshift.com/enterprise/3.0/dev_guide/service_accounts.html#managing-service-accounts

- Then add the service account to SCC privileged. 
~~~
    #  oc edit scc privileged

       Add the following under users:
             - system:serviceaccount:My_Project:My_SVCA
~~~
https://docs.openshift.com/enterprise/3.0/admin_guide/manage_scc.html#grant-access-to-the-privileged-scc


Finally add the following to your DeploymentConfig  instert  serviceAccount and serviceAccountName under "spec" section. 
~~~
# oc edit dc <dcname> 

     serviceAccount: My_SVCA
           serviceAccountName: My_SVCA
~~~
Comment 11 Thien-Thi Nguyen 2015-10-02 10:39:37 EDT
BTW, latest renderings can always (until bug is closed) found in dir: http://file.brq.redhat.com/~tnguyen/tmp/bz1257346/
Comment 12 Thien-Thi Nguyen 2015-10-02 16:01:08 EDT
I've incorporated point 3 from comment #10, and explained it a bit in:
https://github.com/openshift/openshift-docs/pull/970#issuecomment-145062411
Comment 13 Thien-Thi Nguyen 2015-10-09 13:42:06 EDT
(In reply to Jaspreet Kaur from comment #6)

> If we create a custom or new scc other than the default. How can we use this
> scc when creating a new project using image, template or code is what we are
> looking for.
>
> for eg: by default any project uses :  openshift.io/scc: restricted
>
> But how this can be changed with the custom scc to create a new
> pod/deployment ?
>
> The section in documentation only documents how this is created not how it
> can be used ?

Oops, in reviewing this BZ prior to closing (PR 970 has been merged), i just noticed that i have not responded to you.  Sorry for this oversight.

Could you PTAL at the current text?  Does it answer your questions?

I will defer closing this BZ until you are satisfied.  (We might need to do create another PR, but that's no problem.)
Comment 14 Thien-Thi Nguyen 2015-10-14 14:04:48 EDT
The PR was merged on 2015-10-07:

 https://github.com/openshift/openshift-docs/pull/970#event-429628649

so i'm moving status to CLOSED (CURRENTRELEASE) now.

Note You need to log in before you can comment on or make changes to this bug.