Explanation of setting SCC in OpenShift?

T

The3fon2021-03-31 23:41:55

Information Security

The3fon, 2021-03-31 23:41:55

Good afternoon, I ask for help in explaining the essence of SCC for OpenShift. If for all SCC instructions the description in the docks is understandable, then I still haven’t smoked how SeLinux and SecComp policies are configured using SCC.
If everything is clear with the Capabilities setting, there are instructions for adding or removing Capabilities for the Pod, there is also a list of standard Caps that are imported into the container and a list of all Caps that are supported in the manual, then for SeLinux there is an instruction:

seLinuxContext:
  type: RunAsAny

or MustRunAs

How to interpret and configure it?

For SecComp, the same thing, I did not find an example of a yaml file where the configured profile was indicated with the prohibition or permission of certain system calls. How is it configured?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Saboteur, 2021-04-01
@saboteur_kiev

This refers to which user the pods are running as. There can be four
MustRunAs options, and all containers must be configured to run as the configured user in runAsUser
MustRunAsRange - Users with a UID in the specified range can be used in containers. If the user is not specified, the first UID from the range is automatically taken, useful for delimiting access rights, for example, between projects (namespaces)
MustRunAsNonRoot - you can use any users except root (uid 0)
RunAsAny - you can run containers on behalf of any user
In general, more details here:
https://docs.openshift.com/container-platform/4.1/...