$ oc policy scc-review -z system:serviceaccount:projectname:default -f my_resource.yaml
- Documentation
- OpenShift Container Platform
- Developer Guide
- Authorization history
- About
- Release Notes
- Getting Started
- Architecture
- Container Security Guide
- Installation and Configuration
- Overview
- Installing a Cluster
- Setting up the Registry
- Setting up a Router
- Upgrading a Cluster
- Downgrading
- Master and Node Configuration
- Adding Hosts to an Existing Cluster
- Loading the Default Image Streams and Templates
- Configuring Custom Certificates
- Redeploying Certificates
- Configuring Authentication and User Agent
- Syncing Groups with LDAP
- Configuring LDAP failover
- Configuring the SDN
- Configuring Nuage SDN
- Configuring for AWS
- Configuring for OpenStack
- Configuring for GCE
- Configuring for Azure
- Configuring for VMWare vSphere
- Configuring Persistent Storage
- Overview
- Using NFS
- Using GlusterFS
- Using OpenStack Cinder
- Using Ceph RBD
- Using AWS Elastic Block Store
- Using GCE Persistent Disk
- Using iSCSI
- Using Fibre Channel
- Using Azure Disk
- Using Azure File
- Using FlexVolume
- Using VMware vSphere volumes for persistent storage
- Dynamic Provisioning and Creating Storage Classes
- Volume Security
- Selector-Label Volume Binding
- Enabling Controller-managed Attachment and Detachment
- Persistent Storage Examples
- Overview
- Sharing an NFS PV Across Two Pods
- Using Ceph RBD for persistent storage
- Using Ceph RBD for dynamic provisioning
- Complete Example Using GlusterFS
- Dynamic Provisioning Example Using Containerized GlusterFS
- Dynamic Provisioning Example Using Dedicated GlusterFS
- Containerized Heketi for Managing Dedicated GlusterFS
- Mounting Volumes To Privileged Pods
- Backing Docker Registry with GlusterFS Storage
- Binding Persistent Volumes by Label
- Using StorageClasses for Dynamic Provisioning
- Using StorageClasses for Existing Legacy Storage
- Configuring Azure Blob Storage for Integrated Docker Registry
- Working with HTTP Proxies
- Configuring Global Build Defaults and Overrides
- Configuring Pipeline Execution
- Configuring Route Timeouts
- Configuring Native Container Routing
- Routing from Edge Load Balancers
- Aggregating Container Logs
- Aggregate Logging Sizing Guidelines
- Enabling Cluster Metrics
- Customizing the Web Console
- Deploying External Persistent Volume Provisioners
- Deploying CloudForms on OpenShift
- Revision History
- Administrator Solutions
- Cluster Administration
- Overview
- Managing Nodes
- Managing Users
- Managing Projects
- Managing Pods
- Managing Networking
- Configuring Service Accounts
- Managing Authorization Policies
- Image Policy
- Image Signatures
- Scoped Tokens
- Monitoring Images
- Managing Security Context Constraints
- Scheduling
- Setting Quotas
- Setting Multi-Project Quotas
- Setting Limit Ranges
- Pruning Objects
- Garbage Collection
- Allocating Node Resources
- Opaque Integer Resources
- Overcommitting
- Assigning Unique External IPs for Ingress Traffic
- Out of Resource Handling
- Monitoring and Debugging Routers
- High Availability
- IPtables
- Securing Builds by Strategy
- Restricting Application Capabilities Using Seccomp
- Sysctls
- Encrypting Data at Datastore Layer
- Encrypting Hosts with IPsec
- Building Dependency Trees
- Backup and Restore
- Troubleshooting Networking
- Diagnostics Tool
- Idling Applications
- Analyzing Cluster Capacity
- Revision History
- Scaling and Performance Guide
- CLI Reference
- Developer Guide
- Overview
- Application Life Cycle Management
- Authentication
- Authorization
- Projects
- Migrating Applications
- Tutorials
- Builds
- Deployments
- Templates
- Opening a Remote Shell to Containers
- Service Accounts
- Managing Images
- Quotas and Limit Ranges
- Injecting Information into Pods Using Pod Presets
- Getting Traffic into a Cluster
- Routes
- Integrating External Services
- Secrets
- ConfigMaps
- Downward API
- Projected Volumes
- Using Daemonsets
- Pod Autoscaling
- Managing Volumes
- Using Persistent Volumes
- Executing Remote Commands
- Copying Files
- Port Forwarding
- Shared Memory
- Application Health
- Events
- Managing Environment Variables
- Jobs
- Cron Jobs
- Create from URL
- Revision History
- Creating Images
- Using Images
- REST API Reference
×
Authorization
Overview
This topic contains authorization tasks for application developers and their capabilities, as dictated by the cluster administrator.
Checking If Users Can Create Pods
Using the scc-review and scc-subject-review options, you can see if an
individual user, or a user under a specific service account, can create or
update a pod.
Using the scc-review option, you can check if a service account can create or
update a pod. The command outputs the security context constraints that admit
the resource.
For example, to check if a user with the
system:serviceaccount:projectname:default service account can a create a pod:
You can also use the scc-subject-review option to check whether a specific
user can create or update a pod:
$ oc policy scc-subject-review -u <username> -f my_resource.yaml
To check if a user belonging to a specific group can create a pod in a specific file:
$ oc policy scc-subject-review -u <username> -g <groupname> -f my_resource.yaml
Determining What You Can Do as an Authenticated User
From within your OpenShift Container Platform project, you can determine what verbs you can perform against all namespace-scoped resources (including third-party resources).
The can-i command option tests scopes in terms of the user and role.
$ oc policy can-i --list --loglevel=8
The output helps you to determine what API request to make to gather the information.
To receive information back in a user-readable format, run:
$ oc policy can-i --list
The output provides a full list.
To determine if you can perform specific verbs, run:
$ oc policy can-i <verb> <resource>
User scopes can provide more information about a given scope. For example:
$ oc policy can-i <verb> <resource> --scopes=user:info