[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Can't use the privileged scc in OpenShift 4.2.16



Hi,


In addition to granting your ServiceAccount with permissions to use the privileged SCC, you should add some securityContext.privileged: true to your Pod definition. Otherwise, the restricted SCC first matches your Pod securityContext, privileged would not be considered.

I  couldn't find this in 4.x docs, though you'ld have it in 3.11:


Changing priorities could indeed be a way to work around this.
Though probably not something to recommend.

If you made a copy of the existing privileged SCC, then there's good chances you kept its lists of allowed users / groups.
This means that when Pods relying on those SA would next restart, while not including a securityContext.privileged in their definition: they would mistakenly start as root. Rolling this back could require chowning files back on persistent volumes.

While it is unlikely OpenShift core components would include ServiceAccounts running both privileged and unprivileged Pods (not certain/to check), it could still be a surprise for users in your cluster.
This is not a big deal, on a lab, if you're just testing something on your own, ... though I would avoid this on real-life clusters, or warn other admins at least, ideally make sure only your Jira SA may use that SCC.


Regards.


On Wed, Feb 12, 2020 at 4:36 AM Joel Pearson <japearson agiledigital com au> wrote:
Hi,

I have been trying to use the privileged scc in OpenShift 4.2.16

I follow the normal way adding an scc to a service account.

oc create sa jira
oc adm policy add-scc-to-user privileged -z jira

But it always ends up using the restricted scc. However, anyuid gets applied successfully.

I read about SCC prioritisation and made a copy of privileged scc and set "priority: 10", and then I was able to use it.

What is the proper way to use the privileged scc? Or is this by design?

PS. I realise using privileged is not recommended, and in my case to make jira work I managed to use a customised version of anyuid that contained the AUDIT_WRITE capability so that "su" would work.  However, I figured it would be good to know why privileged kept getting overridden by "restricted"

Thanks,

Joel
_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


--
Samuel Martín Moro
{EPITECH.} 2011

"Nobody wants to say how this works.
 Maybe nobody knows ..."
                      Xorg.conf(5)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]