Red Hat OpenShift 4.11 ile Gelen ‘’Yeni Security Context Constraints’’ Politikaları

Security context constraint(SCC)

Description

anyuid

 Provides all features of the restricted SCC, but allows users to run with any UID and any GID. Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace.

hostaccess

This SCC allows host access to namespaces, file systems, and PIDs. It should only be used by trusted pods. Grant with caution.

hostmount-anyuid

Provides all the features of the restricted SCC, but allows host mounts and running as any UID and any GID on the system.

This SCC allows host file system access as any UID, including UID 0. Grant with caution.

hostnetwork

Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that is allocated to the namespace.

If additional workloads are run on control plane hosts, use caution when providing access to hostnetwork. A workload that runs hostnetwork on a control plane host is effectively rooted in the cluster and must be trusted accordingly.

hostnetwork-v2

Like the hostnetwork SCC, but with the following differences:

• ALL capabilities are dropped from containers
• The NET_BIND_SERVICE capability can be added explicitly.
• seccompProfile is set to runtime/default by default
• allowPrivilegeEscalation must be unset or set to false in security contexts. Used for the Prometheus node exporter.

node-exporter

Used for the Prometheus node exporter.

This SCC allows host file system access as any UID, including UID 0. Grant with caution.

nonroot

Provides all features of the restricted SCC, but allows users to run with any non-root UID. The user must specify the UID or it must be specified in the manifest of the container runtime. Like the nonroot SCC, but with the following differences: ALL capabilities are dropped from containers.

nonroot-v2

The NET_BIND_SERVICE capability can be added explicitly.

seccompProfile is set to runtime/default by default.

allowPrivilegeEscalation must be unset or set to false in security contexts.

privileged

Allows access to all privileged and host features and the ability to run as any user, any group, any FSGroup, and with any SELinux context.

This is the most relaxed SCC and should be used only for cluster administration. Grant with caution.

The privileged SCC allows:

• Users to run privileged pods
• Pods to mount host directories as volumes
• Pods to run as any user
• Pods to run with any MCS label
• Pods to use the host’s IPC namespace
• Pods to use the host’s PID namespace
• Pods to use any FSGroup
• Pods to use any supplemental group
• Pods to use any seccomp profiles
• Pods to request any capabilities

Setting privileged: true in the pod specification does not necessarily select the privileged SCC. The SCC that has allowPrivilegedContainer: true and has the highest prioritization will be chosen if the user has permission to use it.

restricted

Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. The restricted SCC:

• Ensures that pods cannot run as privileged
• Ensures that pods cannot mount host directory volumes
• Requires that a pod is run as a user in a pre-allocated range of UIDs
• Requires that a pod is run with a pre-allocated MCS label
• Allows pods to use any FSGroup
• Allows pods to use any supplemental group

In clusters that were upgraded from OpenShift Container Platform 4.10 or earlier, this SCC is available for use by any authenticated user. The restricted SCC is no longer available to users of new OpenShift Container Platform 4.11 installations unless the access is explicitly granted.

restricted-v2

Like the restricted SCC, but with the following differences:

• ALL capabilities are dropped from containers.
• The NET_BIND_SERVICE capability can be added explicitly.
• seccompProfile is set to runtime/default by default.
• allowPrivilegeEscalation must be unset or set to false in security contexts

This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users.

The restricted-v2 SCC is the most restrictive of the SCCs that is included by default with the system. However, you can create a custom SCC that is even more restrictive. For example, you can create an SCC that restricts readOnlyRootFilesystem to true.