SCC assignments and permissions in OpenShift

Oct 1, 2020 10:18 · 1340 words · 7 minute read openshift scc permissions rbac

SCCs

There are tons of information out there about SCCs, but in this post we will be focused on how to create and use a custom SCC only.

See the OpenShift official documentation on Managing Security Context Constraints for more details.

Custom SCC

In the event of requiring a custom SCC, there are a few steps that need to be done to be able to use the SCC properly.

Minimal capabilities

The best way to create a custom SCC would be to build it based on the most restricted one (hint: its name is restricted) and then start adding capabilities and permissions depending on the application requisites.

In this example we are going to create a custom SCC based on the restricted one but adding permissions to use hostpath:

cat << EOF | oc apply -f -
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
fsGroup:
  type: MustRunAs
metadata:
  name: mycustomscc
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
- hostpath
EOF

NOTE: The SCC management procedures are restricted to the cluster-admin user for security reasons.

SCC assignation and permissions

In order to be able to use a custom SCC, it is required the user or serviceaccount running the pod has access to the custom SCC.

This can be achieved in two different ways:

  • Modifying the SCC to set users/groups.
  • Using RBAC (roles, rolebindings, etc.)

But first, let’s do a regular deployment:

oc login -u nonadmin -p whatever api.example.com
oc new-project myproject
oc create deployment hello-openshift --image=openshift/hello-openshift

Note: As an exercise, you can try to create those objects using just yaml files.

The pod will have the restricted SCC by default:

oc get po -l app=hello-openshift -o jsonpath='{.items[*].metadata.annotations.openshift\.io/scc}'
restricted

Let’s create a serviceaccount:

oc create sa myserviceaccount

Note: As an exercise, you can try to create the service using just a yaml file.

And then, let’s modify the deployment to use that serviceaccount instead:

oc set serviceaccount deployment/hello-openshift myserviceaccount

This will modify the deployment object to set the serviceAccountName parameter (serviceAccount is currently deprecated, see oc explain pod.spec for more information.)

Hint: You can use oc patch or oc edit as well.

oc get deployment hello-openshift -o jsonpath='{.spec.template.spec.serviceAccountName}'
myserviceaccount

Let’s modify the deployment to use a hostPath volume:

oc patch deployment/hello-openshift -p '{"spec":{"template":{"spec":{"$setElementOrder/containers":[{"name":"hello-openshift"}],"containers":[{"name":"hello-openshift","volumeMounts":[{"mountPath":"/empty","name":"myvolume"}]}],"volumes":[{"hostPath":{"path":"/var/empty","type":"Directory"},"name":"myvolume"}]}}}}' deployment/hello-openshift

Hum… nothing happens… let’s see the events:

oc get events
...
42s         Warning   FailedCreate        replicaset/hello-openshift-855649976d   Error creating: pods "hello-openshift-855649976d-" is forbidden: unable to validate against any security context constraint: [spec.volumes[0]: Invalid value: "hostPath": hostPath volumes are not allowed to be used]

It seems the pod is not allowed to use hostPath… as expected. This means we need to give that serviceaccount permission to use the custom SCC.

Method A: Modify the SCC definition

This method involves modifying the SCC to add the serviceaccount to the list of users (or groups), as:

users:
- <user>
- system:serviceaccount:<namespace>:<serviceaccountname>

Assigning users, groups or service accounts directly to an SCC retains cluster-wide scope and require cluster-admin permissions:

oc whoami
system:admin

oc patch scc mycustomscc --type=merge -p '{"users":["system:serviceaccount:myproject:myserviceaccount"]}'

Let’s see now:

oc whoami
nonadmin

oc get po -l app=hello-openshift -o jsonpath='{.items[*].metadata.annotations.openshift\.io/scc}'
mycustomscc

Nice!

Before continuing, let’s clean the SCC:

oc whoami
system:admin

oc patch scc mycustomscc --type=merge -p '{"users":[]}'

And remove the pod:

oc whoami
nonadmin

oc delete $(oc get po -o name -l app=hello-openshift)

Method B: SCC RBAC

Since OpenShift 3.11, you can specify SCCs as a resource that is handled by RBAC. This allows you to scope access to the SCCs to a certain project or to the entire cluster.

This means that in order for the serviceaccount to use the SCC, you need to create a role (or clusterrole) with the proper permissions and a rolebinding (or clusterrolebinding) for the serviceaccount to that role. It sounds complicated but it is not. Let’s do it with just a single command:

oc whoami
system:admin

oc adm policy add-scc-to-user mycustomscc -z myserviceaccount -n myproject

This will create a clusterrole.rbac.authorization.k8s.io/system:openshift:scc:mycustomscc object:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:openshift:scc:mycustomscc
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - mycustomscc
  resources:
  - securitycontextconstraints
  verbs:
  - use

And a rolebinding in our namespace:

oc get rolebinding system:openshift:scc:mycustomscc -o yaml -n myproject
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: system:openshift:scc:mycustomscc
  namespace: myproject
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:mycustomscc
subjects:
- kind: ServiceAccount
  name: myserviceaccount
  namespace: myproject

To verify:

oc whoami
nonadmin

oc adm policy who-can use scc mycustomscc | grep myserviceaccount
        system:serviceaccount:myproject:myserviceaccount

oc get po -l app=hello-openshift -o jsonpath='{.items[*].metadata.annotations.openshift\.io/scc}'
mycustomscc

Nice!

Priorities

When a pod request is created, the admission controller evaluates the request and assign an SCC depending on the permissions the pod requests as well as the permissions the user/sa running this pod is allowed.

The SCCs have a priority field to affect the ordering. This means:

  • Highest priority first, no priority is considered 0
  • If priorities are equal, the SCCs will be sorted from most restrictive to least restrictive
  • If both priorities and restrictions are equal the SCCs will be sorted by name

See the admission controller code if you are brave enough to understand it :)

The out-of-the-box SCCs included in OpenShift 4 and their priorities are:

oc get scc -o custom-columns=NAME:.metadata.name,PRIORITY:.priority
NAME                          PRIORITY
anyuid                        10
hostaccess                    <nil>
hostmount-anyuid              <nil>
hostnetwork                   <nil>
node-exporter                 <nil>
nonroot                       <nil>
privileged                    <nil>
restricted                    <nil>

Warning about priorities

Some service accounts included by default in OpenShift are granted cluster-admin permissions, meaning they can perform any action on any resource, including using any SCC, despite of not having being granted it explicitly.

In our case, we only give access to the myserviceaccount service account to use the mycustomscc SCC… but in fact, there are quite a few service accounts allowed to use it:

oc adm policy who-can use scc mycustomscc
...
Users:  admin
        system:admin
        system:serviceaccount:myproject:myserviceaccount
        system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
        system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
        system:serviceaccount:openshift-authentication-operator:authentication-operator
        system:serviceaccount:openshift-authentication:oauth-openshift
        system:serviceaccount:openshift-cluster-node-tuning-operator:cluster-node-tuning-operator
        system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-controller-operator
        system:serviceaccount:openshift-cluster-version:default
        system:serviceaccount:openshift-config-operator:openshift-config-operator
        system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
        system:serviceaccount:openshift-etcd-operator:etcd-operator
        system:serviceaccount:openshift-etcd:installer-sa
        system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
        system:serviceaccount:openshift-kube-apiserver:installer-sa
        system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
        system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
        system:serviceaccount:openshift-kube-controller-manager:installer-sa
        system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
        system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
        system:serviceaccount:openshift-kube-scheduler:installer-sa
        system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
        system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
        system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
        system:serviceaccount:openshift-machine-config-operator:default
        system:serviceaccount:openshift-network-operator:default
        system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
        system:serviceaccount:openshift-service-ca-operator:service-ca-operator
        system:serviceaccount:openshift-service-catalog-removed:openshift-service-catalog-apiserver-remover
        system:serviceaccount:openshift-service-catalog-removed:openshift-service-catalog-controller-manager-remover
Groups: system:cluster-admins
        system:masters

This means any of those serviceaccounts can effectively use the custom SCC and if the priority is higher than the one intended to be used, things can go wrong. For more information see this KCS article

Let’s see it in action. Modify the mycustomscc to have higher priority than the default ones (any number higher than 10 would be enough… let’s choose 99):

oc patch scc mycustomscc --type merge -p '{"priority":99}'

oc get scc mycustomscc -o jsonpath='{.priority}'
99

Now, let’s force the admission controller to ‘recalculate’ the SCCs for one of the serviceaccounts that can use any SCC. In this example, we will choose one of the oauth pods:

oc get po -n openshift-authentication
NAME                               READY   STATUS             RESTARTS   AGE
oauth-openshift-5c4466d8f6-djg89   1/1     Running            0          3d4h
oauth-openshift-5c4466d8f6-hrrkf   1/1     Running            0          3d4h

oc get po -n openshift-authentication -o jsonpath='{range .items[*]}{.metadata.annotations.openshift\.io/scc}{"\t"}{.metadata.name}{"\t"}{.metadata.namespace}{"\n"}{end}'
anyuid	oauth-openshift-5c4466d8f6-djg89	openshift-authentication
anyuid	oauth-openshift-5c4466d8f6-hrrkf	openshift-authentication

oc get deploy -n openshift-authentication oauth-openshift -o jsonpath='{.spec.template.spec.serviceAccountName}'
oauth-openshift

oc adm policy who-can use scc mycustomscc | grep oauth-openshift
        system:serviceaccount:openshift-authentication:oauth-openshift

They are using the anyuid SCC, but they can use any… and based on the order, mycustomscc will win:

oc get scc -o custom-columns=NAME:.metadata.name,PRIORITY:.priority
NAME                          PRIORITY
anyuid                        10
hostaccess                    <nil>
hostmount-anyuid              <nil>
hostnetwork                   <nil>
mycustomscc                   99
node-exporter                 <nil>
nonroot                       <nil>
privileged                    <nil>
restricted                    <nil>

Let’s see:

oc delete po oauth-openshift-5c4466d8f6-hrrkf

oc get po
NAME                               READY   STATUS             RESTARTS   AGE
oauth-openshift-5c4466d8f6-djg89   1/1     Running            0          3d4h
oauth-openshift-5c4466d8f6-wq7cv   0/1     CrashLoopBackOff   6          7m45s

oc get po -n openshift-authentication -o jsonpath='{range .items[*]}{.metadata.annotations.openshift\.io/scc}{"\t"}{.metadata.name}{"\t"}{.metadata.namespace}{"\n"}{end}'
anyuid	oauth-openshift-5c4466d8f6-djg89	openshift-authentication
mycustomscc	oauth-openshift-5c4466d8f6-wq7cv	openshift-authentication

Ooops, we just broke our cluster… the admission controller choose the mycustomscc SCC instead the anyuid one and now the pod is not able to run. Let’s fix it by lowering the priority of our custom SCC:

oc patch scc mycustomscc --type merge -p '{"priority":9}'
oc delete po oauth-openshift-5c4466d8f6-wq7cv
oc get po
NAME                               READY   STATUS    RESTARTS   AGE
oauth-openshift-5c4466d8f6-djg89   1/1     Running   0          3d4h
oauth-openshift-5c4466d8f6-tbphl   1/1     Running   0          46s

oc get po -n openshift-authentication -o jsonpath='{range .items[*]}{.metadata.annotations.openshift\.io/scc}{"\t"}{.metadata.name}{"\t"}{.metadata.namespace}{"\n"}{end}'
anyuid	oauth-openshift-5c4466d8f6-djg89	openshift-authentication
anyuid	oauth-openshift-5c4466d8f6-tbphl	openshift-authentication

PHEW!

tweet Share