Security Context Constraints (SCCs)

Security Context Constraints (SCCs)

OKD provides security context constraints (SCCs), a security mechanism that restricts access to resources, but not to operations in OKD. SCCs limits the access from a running pod in OKD to the host environment. SCCs control:

  • Running privileged containers
  • Requesting extra capabilities to a container
  • Using host directories as volumes
  • Changing the SELinux context of a container
  • Changing the user ID

Some containers developed by the community might require relaxed security context constraints to access resources that are forbidden by default, such as file systems, sockets or to access a SELinux context. You can run the following command as a cluster administrator to list the SCCs defined by OKD:

oc get scc

OKD provides eight SCCs:

  • anyuid
  • hostaccess
  • hostmount-anyuid
  • hostnetwork
  • node-exporter
  • nonroot
  • privileged
  • restricted

Privileged Containers

Some containers might need to access the runtime environment of the host. For example, the S2I builder containers are a class of privileged containers that require access beyond the limits of their own containers. These containers can pose security risks because they can use any resources on an OKD node. SCCs can be used to enable access for privileged containers by creating service accounts with privileged access.