Difference between revisions of "OpenShift Notes"

From Bitbull Wiki
Jump to navigation Jump to search
Line 71: Line 71:
 
openshift-operator-lifecycle-manager              ->  packageserver-749dd7985b-trc95                          ->  openshift.io/scc:  anyuid             
 
openshift-operator-lifecycle-manager              ->  packageserver-749dd7985b-trc95                          ->  openshift.io/scc:  anyuid             
 
</pre>
 
</pre>
 +
==Check all the SCCs==
 +
of course you should also be interested on the scc configuration.
 +
a modification of the default SCCs could lead you into big trouble.
 +
; get all the scc configurations
 +
oc get scc | cut -d' ' -f1 | grep -v NAME | while read scc; do oc describe scc $scc > "$scc"; done
 +
 +
===Example results on fresh AWS OCP 4.7===
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>anyuid</b>    Modified: <b>2021-04-02 09:08:02</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: anyuid
 +
Priority: 10
 +
Access:
 +
  Users: <none>
 +
  Groups: system:cluster-admins
 +
Settings:
 +
  Allow Privileged: false
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: MKNOD
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: false
 +
  Allow Host Ports: false
 +
  Allow Host PID: false
 +
  Allow Host IPC: false
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: RunAsAny
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: MustRunAs
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: RunAsAny
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: RunAsAny
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>hostaccess</b>    Modified: <b>2021-04-02 09:08:02</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: hostaccess
 +
Priority: <none>
 +
Access:
 +
  Users: <none>
 +
  Groups: <none>
 +
Settings:
 +
  Allow Privileged: false
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: configMap,downwardAPI,emptyDir,hostPath,persistentVolumeClaim,projected,secret
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: true
 +
  Allow Host Ports: true
 +
  Allow Host PID: true
 +
  Allow Host IPC: true
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: MustRunAsRange
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: MustRunAs
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: MustRunAs
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: RunAsAny
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>hostmount-anyuid</b>    Modified: <b>2021-04-02 09:08:03</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: hostmount-anyuid
 +
Priority: <none>
 +
Access:
 +
  Users: system:serviceaccount:openshift-infra:pv-recycler-controller
 +
  Groups: <none>
 +
Settings:
 +
  Allow Privileged: false
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: MKNOD
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: configMap,downwardAPI,emptyDir,hostPath,nfs,persistentVolumeClaim,projected,secret
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: false
 +
  Allow Host Ports: false
 +
  Allow Host PID: false
 +
  Allow Host IPC: false
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: RunAsAny
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: MustRunAs
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: RunAsAny
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: RunAsAny
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>hostnetwork</b>    Modified: <b>2021-04-02 09:08:03</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: hostnetwork
 +
Priority: <none>
 +
Access:
 +
  Users: <none>
 +
  Groups: <none>
 +
Settings:
 +
  Allow Privileged: false
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: true
 +
  Allow Host Ports: true
 +
  Allow Host PID: false
 +
  Allow Host IPC: false
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: MustRunAsRange
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: MustRunAs
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: MustRunAs
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: MustRunAs
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>machine-api-termination-handler</b>    Modified: <b>2021-04-02 09:08:04</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: machine-api-termination-handler
 +
Priority: <none>
 +
Access:
 +
  Users: system:serviceaccount:openshift-machine-api:machine-api-termination-handler
 +
  Groups: <none>
 +
Settings:
 +
  Allow Privileged: false
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: downwardAPI,hostPath
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: true
 +
  Allow Host Ports: false
 +
  Allow Host PID: false
 +
  Allow Host IPC: false
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: RunAsAny
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: MustRunAs
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: MustRunAs
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: MustRunAs
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>node-exporter</b>    Modified: <b>2021-04-02 09:08:04</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: node-exporter
 +
Priority: <none>
 +
Access:
 +
  Users: <none>
 +
  Groups: <none>
 +
Settings:
 +
  Allow Privileged: true
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: <none>
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: *
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: true
 +
  Allow Host Ports: true
 +
  Allow Host PID: true
 +
  Allow Host IPC: false
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: RunAsAny
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: RunAsAny
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: RunAsAny
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: RunAsAny
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>nonroot</b>    Modified: <b>2021-04-02 09:08:05</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: nonroot
 +
Priority: <none>
 +
Access:
 +
  Users: <none>
 +
  Groups: <none>
 +
Settings:
 +
  Allow Privileged: false
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: false
 +
  Allow Host Ports: false
 +
  Allow Host PID: false
 +
  Allow Host IPC: false
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: MustRunAsNonRoot
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: MustRunAs
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: RunAsAny
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: RunAsAny
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>privileged</b>    Modified: <b>2021-04-02 09:08:05</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: privileged
 +
Priority: <none>
 +
Access:
 +
  Users: system:admin,system:serviceaccount:openshift-infra:build-controller
 +
  Groups: system:cluster-admins,system:nodes,system:masters
 +
Settings:
 +
  Allow Privileged: true
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: <none>
 +
  Allowed Capabilities: *
 +
  Allowed Seccomp Profiles: *
 +
  Allowed Volume Types: *
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: *
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: true
 +
  Allow Host Ports: true
 +
  Allow Host PID: true
 +
  Allow Host IPC: true
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: RunAsAny
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: RunAsAny
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: RunAsAny
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: RunAsAny
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>restricted</b>    Modified: <b>2021-04-02 09:08:06</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: restricted
 +
Priority: <none>
 +
Access:
 +
  Users: <none>
 +
  Groups: system:authenticated
 +
Settings:
 +
  Allow Privileged: false
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: KILL,MKNOD,SETUID,SETGID
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: false
 +
  Allow Host Ports: false
 +
  Allow Host PID: false
 +
  Allow Host IPC: false
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: MustRunAsRange
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: MustRunAs
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: MustRunAs
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: RunAsAny
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
 +
 +
<div class="toccolours mw-collapsible mw-collapsed" style="width:60%">
 +
File: <b>anyuid</b>    Modified: <b>2021-04-02 09:08:02</b>
 +
<div class="mw-collapsible-content">
 +
<pre>
 +
Name: anyuid
 +
Priority: 10
 +
Access:
 +
  Users: <none>
 +
  Groups: system:cluster-admins
 +
Settings:
 +
  Allow Privileged: false
 +
  Allow Privilege Escalation: true
 +
  Default Add Capabilities: <none>
 +
  Required Drop Capabilities: MKNOD
 +
  Allowed Capabilities: <none>
 +
  Allowed Seccomp Profiles: <none>
 +
  Allowed Volume Types: configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
 +
  Allowed Flexvolumes: <all>
 +
  Allowed Unsafe Sysctls: <none>
 +
  Forbidden Sysctls: <none>
 +
  Allow Host Network: false
 +
  Allow Host Ports: false
 +
  Allow Host PID: false
 +
  Allow Host IPC: false
 +
  Read Only Root Filesystem: false
 +
  Run As User Strategy: RunAsAny
 +
    UID: <none>
 +
    UID Range Min: <none>
 +
    UID Range Max: <none>
 +
  SELinux Context Strategy: MustRunAs
 +
    User: <none>
 +
    Role: <none>
 +
    Type: <none>
 +
    Level: <none>
 +
  FSGroup Strategy: RunAsAny
 +
    Ranges: <none>
 +
  Supplemental Groups Strategy: RunAsAny
 +
    Ranges: <none>
 +
</pre>
 +
</div>
 +
</div>
  
 
[[Category:OpenShift]]
 
[[Category:OpenShift]]
 
[[Category:V4x]]
 
[[Category:V4x]]

Revision as of 07:12, 2 April 2021

1 General

This is stuff I don't want to remember and don't want to forget! So I keep it here! BTW: I'm working with OKD current version (4.7)

2 Security

2.1 SCC Review

Get a list with pods and their assigned scc
oc get pod --all-namespaces | awk '{print $2 " -n "$1}' | grep -v NAME | while read p ; do echo "======= pod $p" ; oc describe pod $p | grep scc: ; done
only show the interesting containers
oc get pod --all-namespaces | awk '{print $1 ","$2}' | grep -v NAME | while read p 
do 
  namespace=$(echo $p | cut -d, -f1)
  pod=$(echo $p | cut -d, -f2)
  oc describe pod $pod -n $namespace | grep scc: | grep -v ": restricted" | while read perm 
  do
    echo "$namespace -> $pod -> $perm"
  done
done | column -t 

2.1.1 Example results on fresh AWS OCP 4.7

openshift-apiserver                               ->  apiserver-5c44597f66-26vp4                               ->  openshift.io/scc:  node-exporter      
openshift-apiserver                               ->  apiserver-5c44597f66-6pw9q                               ->  openshift.io/scc:  node-exporter      
openshift-apiserver                               ->  apiserver-5c44597f66-8kgpf                               ->  openshift.io/scc:  node-exporter      
openshift-authentication-operator                 ->  authentication-operator-78b4fdf6c4-bpwgh                 ->  openshift.io/scc:  anyuid             
openshift-authentication                          ->  oauth-openshift-7f84dd5dd9-b9z4m                         ->  openshift.io/scc:  anyuid             
openshift-authentication                          ->  oauth-openshift-7f84dd5dd9-xzsns                         ->  openshift.io/scc:  anyuid             
openshift-cluster-node-tuning-operator            ->  cluster-node-tuning-operator-844cff6b46-hfhr5            ->  openshift.io/scc:  anyuid             
openshift-cluster-node-tuning-operator            ->  tuned-9dzsb                                              ->  Annotations:       openshift.io/scc:  privileged
openshift-cluster-node-tuning-operator            ->  tuned-l92pl                                              ->  Annotations:       openshift.io/scc:  privileged
openshift-cluster-node-tuning-operator            ->  tuned-pl7j4                                              ->  Annotations:       openshift.io/scc:  privileged
openshift-cluster-node-tuning-operator            ->  tuned-vgkjw                                              ->  Annotations:       openshift.io/scc:  privileged
openshift-cluster-node-tuning-operator            ->  tuned-vq4z9                                              ->  Annotations:       openshift.io/scc:  privileged
openshift-cluster-node-tuning-operator            ->  tuned-whtrw                                              ->  Annotations:       openshift.io/scc:  privileged
openshift-cluster-storage-operator                ->  cluster-storage-operator-d454bcdf5-r4z4q                 ->  openshift.io/scc:  anyuid             
openshift-cluster-storage-operator                ->  csi-snapshot-controller-operator-66d94cbd79-phn82        ->  openshift.io/scc:  anyuid             
openshift-config-operator                         ->  openshift-config-operator-84d8fd8945-khs8m               ->  openshift.io/scc:  anyuid             
openshift-controller-manager-operator             ->  openshift-controller-manager-operator-5595786bf5-qpnk8   ->  openshift.io/scc:  anyuid             
openshift-image-registry                          ->  node-ca-55mg8                                            ->  Annotations:       openshift.io/scc:  privileged
openshift-image-registry                          ->  node-ca-gw8pf                                            ->  Annotations:       openshift.io/scc:  privileged
openshift-image-registry                          ->  node-ca-kkxbc                                            ->  Annotations:       openshift.io/scc:  privileged
openshift-image-registry                          ->  node-ca-m52th                                            ->  Annotations:       openshift.io/scc:  privileged
openshift-image-registry                          ->  node-ca-t8rfk                                            ->  Annotations:       openshift.io/scc:  privileged
openshift-image-registry                          ->  node-ca-vfp7r                                            ->  Annotations:       openshift.io/scc:  privileged
openshift-ingress                                 ->  router-default-564744dbcf-skbwh                          ->  Annotations:       openshift.io/scc:  hostnetwork
openshift-ingress                                 ->  router-default-564744dbcf-vhk6c                          ->  Annotations:       openshift.io/scc:  hostnetwork
openshift-kube-storage-version-migrator-operator  ->  kube-storage-version-migrator-operator-565897bfd9-xbtql  ->  openshift.io/scc:  anyuid             
openshift-kube-storage-version-migrator           ->  migrator-5475dbfddc-tx6d8                                ->  openshift.io/scc:  anyuid             
openshift-machine-api                             ->  cluster-baremetal-operator-7b584c7dfc-d647k              ->  openshift.io/scc:  anyuid             
openshift-marketplace                             ->  community-operators-5cp2b                                ->  openshift.io/scc:  anyuid             
openshift-monitoring                              ->  alertmanager-main-0                                      ->  openshift.io/scc:  nonroot            
openshift-monitoring                              ->  alertmanager-main-1                                      ->  openshift.io/scc:  nonroot            
openshift-monitoring                              ->  alertmanager-main-2                                      ->  openshift.io/scc:  nonroot            
openshift-monitoring                              ->  node-exporter-5fbp5                                      ->  Annotations:       openshift.io/scc:  node-exporter
openshift-monitoring                              ->  node-exporter-lt47z                                      ->  Annotations:       openshift.io/scc:  node-exporter
openshift-monitoring                              ->  node-exporter-vgt4r                                      ->  Annotations:       openshift.io/scc:  node-exporter
openshift-monitoring                              ->  node-exporter-wc65q                                      ->  Annotations:       openshift.io/scc:  node-exporter
openshift-monitoring                              ->  node-exporter-wsz7m                                      ->  Annotations:       openshift.io/scc:  node-exporter
openshift-monitoring                              ->  node-exporter-zp6pt                                      ->  Annotations:       openshift.io/scc:  node-exporter
openshift-monitoring                              ->  prometheus-k8s-0                                         ->  openshift.io/scc:  nonroot            
openshift-monitoring                              ->  prometheus-k8s-1                                         ->  openshift.io/scc:  nonroot            
openshift-oauth-apiserver                         ->  apiserver-6894d6684-cq4d2                                ->  openshift.io/scc:  node-exporter      
openshift-oauth-apiserver                         ->  apiserver-6894d6684-jxpvt                                ->  openshift.io/scc:  node-exporter      
openshift-oauth-apiserver                         ->  apiserver-6894d6684-wj9d5                                ->  openshift.io/scc:  node-exporter      
openshift-operator-lifecycle-manager              ->  catalog-operator-5d56d75ccf-zr87t                        ->  openshift.io/scc:  anyuid             
openshift-operator-lifecycle-manager              ->  olm-operator-5f7849c5c4-cm8dw                            ->  openshift.io/scc:  anyuid             
openshift-operator-lifecycle-manager              ->  packageserver-749dd7985b-672p8                           ->  openshift.io/scc:  anyuid             
openshift-operator-lifecycle-manager              ->  packageserver-749dd7985b-trc95                           ->  openshift.io/scc:  anyuid             

2.2 Check all the SCCs

of course you should also be interested on the scc configuration. a modification of the default SCCs could lead you into big trouble.

get all the scc configurations
oc get scc | cut -d' ' -f1 | grep -v NAME | while read scc; do oc describe scc $scc > "$scc"; done

2.2.1 Example results on fresh AWS OCP 4.7

File: anyuid Modified: 2021-04-02 09:08:02

Name:						anyuid
Priority:					10
Access:						
  Users:					<none>
  Groups:					system:cluster-admins
Settings:					
  Allow Privileged:				false
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			MKNOD
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				false
  Allow Host Ports:				false
  Allow Host PID:				false
  Allow Host IPC:				false
  Read Only Root Filesystem:			false
  Run As User Strategy: RunAsAny		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: MustRunAs		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: RunAsAny			
    Ranges:					<none>
  Supplemental Groups Strategy: RunAsAny	
    Ranges:					<none>

File: hostaccess Modified: 2021-04-02 09:08:02

Name:						hostaccess
Priority:					<none>
Access:						
  Users:					<none>
  Groups:					<none>
Settings:					
  Allow Privileged:				false
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			KILL,MKNOD,SETUID,SETGID
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				configMap,downwardAPI,emptyDir,hostPath,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				true
  Allow Host Ports:				true
  Allow Host PID:				true
  Allow Host IPC:				true
  Read Only Root Filesystem:			false
  Run As User Strategy: MustRunAsRange		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: MustRunAs		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: MustRunAs			
    Ranges:					<none>
  Supplemental Groups Strategy: RunAsAny	
    Ranges:					<none>

File: hostmount-anyuid Modified: 2021-04-02 09:08:03

Name:						hostmount-anyuid
Priority:					<none>
Access:						
  Users:					system:serviceaccount:openshift-infra:pv-recycler-controller
  Groups:					<none>
Settings:					
  Allow Privileged:				false
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			MKNOD
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				configMap,downwardAPI,emptyDir,hostPath,nfs,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				false
  Allow Host Ports:				false
  Allow Host PID:				false
  Allow Host IPC:				false
  Read Only Root Filesystem:			false
  Run As User Strategy: RunAsAny		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: MustRunAs		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: RunAsAny			
    Ranges:					<none>
  Supplemental Groups Strategy: RunAsAny	
    Ranges:					<none>

File: hostnetwork Modified: 2021-04-02 09:08:03

Name:						hostnetwork
Priority:					<none>
Access:						
  Users:					<none>
  Groups:					<none>
Settings:					
  Allow Privileged:				false
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			KILL,MKNOD,SETUID,SETGID
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				true
  Allow Host Ports:				true
  Allow Host PID:				false
  Allow Host IPC:				false
  Read Only Root Filesystem:			false
  Run As User Strategy: MustRunAsRange		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: MustRunAs		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: MustRunAs			
    Ranges:					<none>
  Supplemental Groups Strategy: MustRunAs	
    Ranges:					<none>

File: machine-api-termination-handler Modified: 2021-04-02 09:08:04

Name:						machine-api-termination-handler
Priority:					<none>
Access:						
  Users:					system:serviceaccount:openshift-machine-api:machine-api-termination-handler
  Groups:					<none>
Settings:					
  Allow Privileged:				false
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			KILL,MKNOD,SETUID,SETGID
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				downwardAPI,hostPath
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				true
  Allow Host Ports:				false
  Allow Host PID:				false
  Allow Host IPC:				false
  Read Only Root Filesystem:			false
  Run As User Strategy: RunAsAny		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: MustRunAs		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: MustRunAs			
    Ranges:					<none>
  Supplemental Groups Strategy: MustRunAs	
    Ranges:					<none>

File: node-exporter Modified: 2021-04-02 09:08:04

Name:						node-exporter
Priority:					<none>
Access:						
  Users:					<none>
  Groups:					<none>
Settings:					
  Allow Privileged:				true
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			<none>
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				*
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				true
  Allow Host Ports:				true
  Allow Host PID:				true
  Allow Host IPC:				false
  Read Only Root Filesystem:			false
  Run As User Strategy: RunAsAny		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: RunAsAny		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: RunAsAny			
    Ranges:					<none>
  Supplemental Groups Strategy: RunAsAny	
    Ranges:					<none>

File: nonroot Modified: 2021-04-02 09:08:05

Name:						nonroot
Priority:					<none>
Access:						
  Users:					<none>
  Groups:					<none>
Settings:					
  Allow Privileged:				false
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			KILL,MKNOD,SETUID,SETGID
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				false
  Allow Host Ports:				false
  Allow Host PID:				false
  Allow Host IPC:				false
  Read Only Root Filesystem:			false
  Run As User Strategy: MustRunAsNonRoot	
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: MustRunAs		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: RunAsAny			
    Ranges:					<none>
  Supplemental Groups Strategy: RunAsAny	
    Ranges:					<none>

File: privileged Modified: 2021-04-02 09:08:05

Name:						privileged
Priority:					<none>
Access:						
  Users:					system:admin,system:serviceaccount:openshift-infra:build-controller
  Groups:					system:cluster-admins,system:nodes,system:masters
Settings:					
  Allow Privileged:				true
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			<none>
  Allowed Capabilities:				*
  Allowed Seccomp Profiles:			*
  Allowed Volume Types:				*
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			*
  Forbidden Sysctls:				<none>
  Allow Host Network:				true
  Allow Host Ports:				true
  Allow Host PID:				true
  Allow Host IPC:				true
  Read Only Root Filesystem:			false
  Run As User Strategy: RunAsAny		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: RunAsAny		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: RunAsAny			
    Ranges:					<none>
  Supplemental Groups Strategy: RunAsAny	
    Ranges:					<none>

File: restricted Modified: 2021-04-02 09:08:06

Name:						restricted
Priority:					<none>
Access:						
  Users:					<none>
  Groups:					system:authenticated
Settings:					
  Allow Privileged:				false
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			KILL,MKNOD,SETUID,SETGID
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				false
  Allow Host Ports:				false
  Allow Host PID:				false
  Allow Host IPC:				false
  Read Only Root Filesystem:			false
  Run As User Strategy: MustRunAsRange		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: MustRunAs		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: MustRunAs			
    Ranges:					<none>
  Supplemental Groups Strategy: RunAsAny	
    Ranges:					<none>

File: anyuid Modified: 2021-04-02 09:08:02

Name:						anyuid
Priority:					10
Access:						
  Users:					<none>
  Groups:					system:cluster-admins
Settings:					
  Allow Privileged:				false
  Allow Privilege Escalation:			true
  Default Add Capabilities:			<none>
  Required Drop Capabilities:			MKNOD
  Allowed Capabilities:				<none>
  Allowed Seccomp Profiles:			<none>
  Allowed Volume Types:				configMap,downwardAPI,emptyDir,persistentVolumeClaim,projected,secret
  Allowed Flexvolumes:				<all>
  Allowed Unsafe Sysctls:			<none>
  Forbidden Sysctls:				<none>
  Allow Host Network:				false
  Allow Host Ports:				false
  Allow Host PID:				false
  Allow Host IPC:				false
  Read Only Root Filesystem:			false
  Run As User Strategy: RunAsAny		
    UID:					<none>
    UID Range Min:				<none>
    UID Range Max:				<none>
  SELinux Context Strategy: MustRunAs		
    User:					<none>
    Role:					<none>
    Type:					<none>
    Level:					<none>
  FSGroup Strategy: RunAsAny			
    Ranges:					<none>
  Supplemental Groups Strategy: RunAsAny	
    Ranges:					<none>