Provides all features of the restricted SCC, but allows users to run with any UID and any GID.
In OKD, you can use security context constraints (SCCs) to control permissions for the pods in your cluster.
Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator, you can also create your own SCCs by using the OpenShift CLI (oc).
| Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or OKD is upgraded. Additionally, the default SCC values are reset to the defaults during some cluster upgrades, which discards all customizations to those SCCs. Instead of modifying the default SCCs, create and modify your own SCCs as needed. For detailed steps, see Creating security context constraints. | 
Similar to the way that RBAC resources control user access, administrators can use security context constraints (SCCs) to control permissions for pods. These permissions determine the actions that a pod can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with to be accepted into the system.
Security context constraints allow an administrator to control:
Whether a pod can run privileged containers with the allowPrivilegedContainer flag
Whether a pod is constrained with the allowPrivilegeEscalation flag
The capabilities that a container can request
The use of host directories as volumes
The SELinux context of the container
The container user ID
The use of host namespaces and networking
The allocation of an FSGroup that owns the pod volumes
The configuration of allowable supplemental groups
Whether a container requires write access to its root file system
The usage of volume types
The configuration of allowable seccomp profiles
| Do not set the  | 
The cluster contains several default security context constraints (SCCs) as described in the table below. Additional SCCs might be installed when you install Operators or other components to OKD.
| Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or OKD is upgraded. Additionally, the default SCC values are reset to the defaults during some cluster upgrades, which discards all customizations to those SCCs. Instead of modifying the default SCCs, create and modify your own SCCs as needed. For detailed steps, see Creating security context constraints. | 
| Security context constraint | Description | ||||
|---|---|---|---|---|---|
| 
 | Provides all features of the  | ||||
| 
 | Allows access to all host namespaces but still requires pods to be run with a UID and SELinux context that are allocated to the namespace. 
 | ||||
| 
 | Provides all the features of the  
 | ||||
| 
 | Allows using host networking and host ports but still requires pods to be run with a UID and SELinux context that are allocated to the namespace. 
 | ||||
| 
 | Like the  
 | ||||
| 
 | Like the  
 This SCC allows a user to run a container engine inside of an OKD pod. | ||||
| 
 | Used for the Prometheus node exporter. 
 | ||||
| 
 | Provides all features of the  | ||||
| 
 | Like the  
 | ||||
| 
 | Allows access to all privileged and host features and the ability to run as any user, any group, any FSGroup, and with any SELinux context. 
 The  
 
 | ||||
| 
 | Denies access to all host features and requires pods to be run with a UID, and SELinux context that are allocated to the namespace. The  
 In clusters that were upgraded from OKD 4.10 or earlier, this SCC is available for use by any authenticated user. The  | ||||
| 
 | Like the  
 This SCC is used by default for authenticated users. | ||||
| 
 | Like the  
 This is the most restrictive SCC provided by a new installation and will be used by default for authenticated users. 
 | 
Security context constraints (SCCs) are composed of settings and strategies that control the security features a pod has access to. These settings fall into three categories:
| Category | Description | 
|---|---|
| Controlled by a boolean | Fields of this type default to the most restrictive value. For example,
 | 
| Controlled by an allowable set | Fields of this type are checked against the set to ensure their value is allowed. | 
| Controlled by a strategy | Items that have a strategy to generate a value provide: 
 | 
CRI-O has the following default list of capabilities that are allowed for each container of a pod:
CHOWN
DAC_OVERRIDE
FSETID
FOWNER
SETGID
SETUID
SETPCAP
NET_BIND_SERVICE
KILL
The containers use the capabilities from this default list, but pod manifest authors can alter the list by requesting additional capabilities or removing some of the default behaviors. Use the allowedCapabilities, defaultAddCapabilities, and requiredDropCapabilities parameters to control such requests from the pods. With these parameters you can specify which capabilities can be requested, which ones must be added to each container, and which ones must be forbidden, or dropped, from each container.
| You can drop all capabilites from containers by setting the  | 
MustRunAs - Requires a runAsUser to be configured. Uses the configured
runAsUser as the default. Validates against the configured runAsUser.
MustRunAs snippet...
runAsUser:
  type: MustRunAs
  uid: <id>
...MustRunAsRange - Requires minimum and maximum values to be defined if not
using pre-allocated values. Uses the minimum as the default. Validates against
the entire allowable range.
MustRunAsRange snippet...
runAsUser:
  type: MustRunAsRange
  uidRangeMax: <maxvalue>
  uidRangeMin: <minvalue>
...MustRunAsNonRoot - Requires that the pod be submitted with a non-zero
runAsUser or have the USER directive defined in the image. No default
provided.
MustRunAsNonRoot snippet...
runAsUser:
  type: MustRunAsNonRoot
...RunAsAny - No default provided. Allows any runAsUser to be specified.
RunAsAny snippet...
runAsUser:
  type: RunAsAny
...MustRunAs - Requires seLinuxOptions to be configured if not using
pre-allocated values. Uses seLinuxOptions as the default. Validates against
seLinuxOptions.
RunAsAny - No default provided. Allows any seLinuxOptions to be
specified.
MustRunAs - Requires at least one range to be specified if not using
pre-allocated values. Uses the minimum value of the first range as the default.
Validates against all ranges.
RunAsAny - No default provided. Allows any supplementalGroups to be
specified.
MustRunAs - Requires at least one range to be specified if not using
pre-allocated values. Uses the minimum value of the first range as the default.
Validates against the first ID in the first range.
RunAsAny - No default provided. Allows any fsGroup ID to be specified.
The usage of specific volume types
can be controlled by setting the volumes
field of the SCC.
The allowable values of this field correspond to the volume sources that are defined when creating a volume:
photonPersistentDisk
* (A special value to allow the use of all volume types.)
none (A special value to disallow the use of all volumes types. Exists only for backwards compatibility.)
The recommended minimum set of allowed volumes for new SCCs are configMap,
downwardAPI, emptyDir, persistentVolumeClaim, secret, and projected.
| This list of allowable volume types is not exhaustive because new types are added with each release of OKD. | 
| For backwards compatibility, the usage of  | 
Admission control with SCCs allows for control over the creation of resources based on the capabilities granted to a user.
In terms of the SCCs, this means that an admission controller can inspect the user information made available in the context to retrieve an appropriate set of SCCs. Doing so ensures the pod is authorized to make requests about its operating environment or to generate a set of constraints to apply to the pod.
The set of SCCs that admission uses to authorize a pod are determined by the user identity and groups that the user belongs to. Additionally, if the pod specifies a service account, the set of allowable SCCs includes any constraints accessible to the service account.
| When you create a workload resource, such as a deployment, only the service account is used to find the SCCs and is used to admit the pods when they are created. | 
| When creating pods directly, SCCs admission considers SCC permissions of both the caller and the Service Account that runs the pod. When a pod is created by a pod controller such as a deployment or a job, only Service Account SCC permissions are considered. | 
Admission uses the following approach to create the final security context for the pod:
Retrieve all SCCs available for use.
Generate field values for security context settings that were not specified on the request.
Validate the final settings against the available constraints.
If a matching set of constraints is found, then the pod is accepted. If the request cannot be matched to an SCC, the pod is rejected.
A pod must validate every field against the SCC. The following are examples for just two of the fields that must be validated:
| These examples are in the context of a strategy using the pre-allocated values. | 
An FSGroup SCC strategy of MustRunAs
If the pod defines a fsGroup ID, then that ID must equal the default
fsGroup ID. Otherwise, the pod is not validated by that SCC and the next SCC
is evaluated.
If the SecurityContextConstraints.fsGroup field has value RunAsAny
and the pod specification omits the Pod.spec.securityContext.fsGroup,
then this field is considered valid. Note that it is possible that during
validation, other SCC settings will reject other pod fields and thus cause the
pod to fail.
A SupplementalGroups SCC strategy of MustRunAs
If the pod specification defines one or more supplementalGroups IDs, then
the pod’s IDs must equal one of the IDs in the namespace’s
openshift.io/sa.scc.supplemental-groups annotation. Otherwise, the pod is not
validated by that SCC and the next SCC is evaluated.
If the SecurityContextConstraints.supplementalGroups field has value RunAsAny
and the pod specification omits the Pod.spec.securityContext.supplementalGroups,
then this field is considered valid. Note that it is possible that during
validation, other SCC settings will reject other pod fields and thus cause the
pod to fail.
Security context constraints (SCCs) have a priority field that affects the ordering when attempting to validate a request by the admission controller.
A priority value of 0 is the lowest possible priority. A nil priority is considered a 0, or lowest, priority. Higher priority SCCs are moved to the front of the set when sorting.
When the complete set of available SCCs is determined, the SCCs are ordered in the following manner:
The highest priority SCCs are ordered first.
If the priorities are equal, the SCCs are sorted from most restrictive to least restrictive.
If both the priorities and restrictions are equal, the SCCs are sorted by name.
By default, the anyuid SCC granted to cluster administrators is given priority
in their SCC set. This allows cluster administrators to run pods as any
user by specifying RunAsUser in the pod’s SecurityContext.
The admission controller is aware of certain conditions in the security context constraints (SCCs) that trigger it to look up pre-allocated values from a namespace and populate the SCC before processing the pod. Each SCC strategy is evaluated independently of other strategies, with the pre-allocated values, where allowed, for each policy aggregated with pod specification values to make the final values for the various IDs defined in the running pod.
The following SCCs cause the admission controller to look for pre-allocated values when no ranges are defined in the pod specification:
A RunAsUser strategy of MustRunAsRange with no minimum or maximum set.
Admission looks for the openshift.io/sa.scc.uid-range annotation to populate
range fields.
An SELinuxContext strategy of MustRunAs with no level set. Admission
looks for the openshift.io/sa.scc.mcs annotation to populate the level.
A FSGroup strategy of MustRunAs. Admission looks for the
openshift.io/sa.scc.supplemental-groups annotation.
A SupplementalGroups strategy of MustRunAs. Admission looks for the
openshift.io/sa.scc.supplemental-groups annotation.
During the generation phase, the security context provider uses default values for any parameter values that are not specifically set in the pod. Default values are based on the selected strategy:
RunAsAny and MustRunAsNonRoot strategies do not provide default
values. If the pod needs a parameter value, such as a group ID, you
must define the value in the pod specification.
MustRunAs (single value) strategies provide a default value that is
always used. For example, for group IDs, even if the pod specification defines
its own ID value, the namespace’s default parameter value also appears in the pod’s
groups.
MustRunAsRange and MustRunAs (range-based) strategies provide the
minimum value of the range. As with a single value MustRunAs strategy, the
namespace’s default parameter value appears in the running pod. If a range-based
strategy is configurable with multiple ranges, it provides the minimum value
of the first configured range.
| 
 | 
| By default, the annotation-based  | 
| The  | 
The following examples show the security context constraints (SCC) format and annotations:
privileged SCCallowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegedContainer: true
allowedCapabilities: (1)
- '*'
apiVersion: security.openshift.io/v1
defaultAddCapabilities: [] (2)
fsGroup: (3)
  type: RunAsAny
groups: (4)
- system:cluster-admins
- system:nodes
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: 'privileged allows access to all privileged and host
      features and the ability to run as any user, any group, any fsGroup, and with
      any SELinux context.  WARNING: this is the most relaxed SCC and should be used
      only for cluster administration. Grant with caution.'
  creationTimestamp: null
  name: privileged
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null (5)
runAsUser: (6)
  type: RunAsAny
seLinuxContext: (7)
  type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups: (8)
  type: RunAsAny
users: (9)
- system:serviceaccount:default:registry
- system:serviceaccount:default:router
- system:serviceaccount:openshift-infra:build-controller
volumes: (10)
- '*'| 1 | A list of capabilities that a pod can request. An empty list means
that none of capabilities can be requested while the special symbol *allows any capabilities. | 
| 2 | A list of additional capabilities that are added to any pod. | 
| 3 | The FSGroupstrategy, which dictates the allowable values for the
security context. | 
| 4 | The groups that can access this SCC. | 
| 5 | A list of capabilities to drop from a pod. Or, specify ALLto drop all
capabilities. | 
| 6 | The runAsUserstrategy type, which dictates the allowable values for the
security context. | 
| 7 | The seLinuxContextstrategy type, which dictates the allowable values for
the security context. | 
| 8 | The supplementalGroupsstrategy, which dictates the allowable supplemental
groups for the security context. | 
| 9 | The users who can access this SCC. | 
| 10 | The allowable volume types for the security context. In the example, *allows the use of all volume types. | 
The users and groups fields on the SCC control which users can access the
SCC.
By default, cluster administrators, nodes, and the build controller are granted
access to the privileged SCC. All authenticated users are granted access to the
restricted-v2 SCC.
runAsUser settingapiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext: (1)
  containers:
  - name: sec-ctx-demo
    image: gcr.io/google-samples/node-hello:1.0| 1 | When a container or pod does not request a user ID under which it should be run,
the effective UID depends on the SCC that emits this pod. Because the restricted-v2SCC
is granted to all authenticated users by default, it will be available to all
users and service accounts and used in most cases. Therestricted-v2SCC usesMustRunAsRangestrategy for constraining and defaulting the possible values of
thesecurityContext.runAsUserfield. The admission plugin will look for theopenshift.io/sa.scc.uid-rangeannotation on the current project to populate
range fields, as it does not provide this range. In the end, a container will
haverunAsUserequal to the first value of the range that is
hard to predict because every project has different ranges. | 
runAsUser settingapiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 1000 (1)
  containers:
    - name: sec-ctx-demo
      image: gcr.io/google-samples/node-hello:1.0| 1 | A container or pod that requests a specific user ID will be accepted by OKD only when a service account or a user is granted access to a SCC that allows such a user ID. The SCC can allow arbitrary IDs, an ID that falls into a range, or the exact user ID specific to the request. | 
This configuration is valid for SELinux, fsGroup, and Supplemental Groups.
If the default security context constraints (SCCs) do not satisfy your application workload requirements, you can create a custom SCC by using the OpenShift CLI (oc).
| Creating and modifying your own SCCs are advanced operations that might cause instability to your cluster. If you have questions about using your own SCCs, contact Red Hat Support. For information about contacting Red Hat support, see Getting support. | 
Install the OpenShift CLI (oc).
Log in to the cluster as a user with the cluster-admin role.
Define the SCC in a YAML file named scc-admin.yaml:
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: scc-admin
allowPrivilegedContainer: true
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users:
- my-admin-user
groups:
- my-admin-groupOptionally, you can drop specific capabilities for an SCC by setting the requiredDropCapabilities field with the desired values. Any specified capabilities are dropped from the container. To drop all capabilities, specify ALL. For example, to create an SCC that drops the KILL, MKNOD, and SYS_CHROOT capabilities, add the following to the SCC object:
requiredDropCapabilities:
- KILL
- MKNOD
- SYS_CHROOT| You cannot list a capability in both  | 
CRI-O supports the same list of capability values that are found in the Docker documentation.
Create the SCC by passing in the file:
$ oc create -f scc-admin.yamlsecuritycontextconstraints "scc-admin" createdVerify that the SCC was created:
$ oc get scc scc-adminNAME        PRIV      CAPS      SELINUX    RUNASUSER   FSGROUP    SUPGROUP   PRIORITY   READONLYROOTFS   VOLUMES
scc-admin   true      []        RunAsAny   RunAsAny    RunAsAny   RunAsAny   <none>     false            [awsElasticBlockStore azureDisk azureFile cephFS cinder configMap downwardAPI emptyDir fc flexVolume flocker gcePersistentDisk gitRepo glusterfs iscsi nfs persistentVolumeClaim photonPersistentDisk quobyte rbd secret vsphere]You can configure a workload to require a certain security context constraint (SCC). This is useful in scenarios where you want to pin a specific SCC to the workload or if you want to prevent your required SCC from being preempted by another SCC in the cluster.
To require a specific SCC, set the openshift.io/required-scc annotation on your workload. You can set this annotation on any resource that can set a pod manifest template, such as a deployment or daemon set.
The SCC must exist in the cluster and must be applicable to the workload, otherwise pod admission fails. An SCC is considered applicable to the workload if the user creating the pod or the pod’s service account has use permissions for the SCC in the pod’s namespace.
| Do not change the  | 
The SCC must exist in the cluster.
Create a YAML file for the deployment and specify a required SCC by setting the openshift.io/required-scc annotation:
deployment.yamlapiVersion: config.openshift.io/v1
kind: Deployment
apiVersion: apps/v1
spec:
# ...
  template:
    metadata:
      annotations:
        openshift.io/required-scc: "my-scc" (1)
# ...| 1 | Specify the name of the SCC to require. | 
Create the resource by running the following command:
$ oc create -f deployment.yamlVerify that the deployment used the specified SCC:
View the value of the pod’s openshift.io/scc annotation by running the following command:
$ oc get pod <pod_name> -o jsonpath='{.metadata.annotations.openshift\.io\/scc}{"\n"}' (1)| 1 | Replace <pod_name>with the name of your deployment pod. | 
Examine the output and confirm that the displayed SCC matches the SCC that you defined in the deployment:
my-sccYou can specify SCCs as resources that are handled by RBAC. This allows you to scope access to your SCCs to a certain project or to the entire cluster. Assigning users, groups, or service accounts directly to an SCC retains cluster-wide scope.
| Do not run workloads in or share access to default projects. Default projects are reserved for running core cluster components. The following default projects are considered highly privileged:  | 
To include access to SCCs for your role, specify the scc resource
when creating a role.
$ oc create role <role-name> --verb=use --resource=scc --resource-name=<scc-name> -n <namespace>This results in the following role definition:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
...
  name: role-name (1)
  namespace: namespace (2)
...
rules:
- apiGroups:
  - security.openshift.io (3)
  resourceNames:
  - scc-name (4)
  resources:
  - securitycontextconstraints (5)
  verbs: (6)
  - use| 1 | The role’s name. | 
| 2 | Namespace of the defined role. Defaults to defaultif not specified. | 
| 3 | The API group that includes the SecurityContextConstraintsresource.
Automatically defined whensccis specified as a resource. | 
| 4 | An example name for an SCC you want to have access. | 
| 5 | Name of the resource group that allows users to specify SCC names in
the resourceNamesfield. | 
| 6 | A list of verbs to apply to the role. | 
A local or cluster role with such a rule allows the subjects that are
bound to it with a role binding or a cluster role binding to use the
user-defined SCC called scc-name.
| Because RBAC is designed to prevent escalation, even project administrators
are unable to grant access to an SCC. By default, they are not
allowed to use the verb  | 
You can manage security context constraints (SCCs) in your instance as normal API objects by using the OpenShift CLI (oc).
| You must have  | 
To get a current list of SCCs:
$ oc get sccNAME                              PRIV    CAPS                   SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY     READONLYROOTFS   VOLUMES
anyuid                            false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    10           false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
hostaccess                        false   <no value>             MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","persistentVolumeClaim","projected","secret"]
hostmount-anyuid                  false   <no value>             MustRunAs   RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","hostPath","nfs","persistentVolumeClaim","projected","secret"]
hostnetwork                       false   <no value>             MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
hostnetwork-v2                    false   ["NET_BIND_SERVICE"]   MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
node-exporter                     true    <no value>             RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["*"]
nonroot                           false   <no value>             MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
nonroot-v2                        false   ["NET_BIND_SERVICE"]   MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
privileged                        true    ["*"]                  RunAsAny    RunAsAny           RunAsAny    RunAsAny    <no value>   false            ["*"]
restricted                        false   <no value>             MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]
restricted-v2                     false   ["NET_BIND_SERVICE"]   MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <no value>   false            ["configMap","downwardAPI","emptyDir","persistentVolumeClaim","projected","secret"]You can view information about a particular SCC, including which users, service accounts, and groups the SCC is applied to.
For example, to examine the restricted SCC:
$ oc describe scc restrictedName:                                  restricted
Priority:                              <none>
Access:
  Users:                               <none> (1)
  Groups:                              <none> (2)
Settings:
  Allow Privileged:                    false
  Allow Privilege Escalation:          true
  Default Add Capabilities:            <none>
  Required Drop Capabilities:          KILL,MKNOD,SETUID,SETGID
  Allowed Capabilities:                <none>
  Allowed Seccomp Profiles:            <none>
  Allowed Volume Types:                configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:                 <all>
  Allowed Unsafe Sysctls:              <none>
  Forbidden Sysctls:                   <none>
  Allow Host Network:                  false
  Allow Host Ports:                    false
  Allow Host PID:                      false
  Allow Host IPC:                      false
  Read Only Root Filesystem:           false
  Run As User Strategy: MustRunAsRange
    UID:                               <none>
    UID Range Min:                     <none>
    UID Range Max:                     <none>
  SELinux Context Strategy: MustRunAs
    User:                              <none>
    Role:                              <none>
    Type:                              <none>
    Level:                             <none>
  FSGroup Strategy: MustRunAs
    Ranges:                            <none>
  Supplemental Groups Strategy: RunAsAny
    Ranges:                            <none>| 1 | Lists which users and service accounts the SCC is applied to. | 
| 2 | Lists which groups the SCC is applied to. | 
| To preserve customized SCCs during upgrades, do not edit settings on the default SCCs. | 
If your custom SCC no longer satisfies your application workloads requirements, you can update your SCC by using the OpenShift CLI (oc).
To update an existing SCC:
$ oc edit scc <scc_name>| To preserve customized SCCs during upgrades, do not edit settings on the default SCCs. |