2

If I try to add a security constraint to a local OpenShift all-in-one cluster running in Windows10 Pro and Hyper-V, openshift client receives the following message:

c:\openshift\oc.exe adm policy add-scc-to-user anyuid -z default
Error from server (Forbidden): User "system" cannot get securitycontextconstraints at the cluster scope"

The Openshift instance was created by docker machine using the following steps:

1) docker-machine create -d "hyperv" --engine-insecure-registry 172.30.0.0/16 --hyperv-virtual-switch "openshift" openshift 
2) oc cluster up --docker-machine=openshift

Is there any configuration to allow system user to have access to securitycontextconstraints?

Carlos Alberto
  • 7,761
  • 13
  • 52
  • 72

2 Answers2

5

Try running:

docker exec origin oc adm policy add-scc-to-user anyuid -z default -n projectname

This will run oc inside of the OpenShift cluster where it should run as an admin.

I would suggest also running:

docker exec origin oc adm policy add-cluster-role-to-group sudoer system:authenticated yourusername

That way you can in future run admin commands by running:

oc adm policy add-scc-to-user anyuid -z default -n projectname --as system:admin

That is, by using --as system:admin to impersonate admin.

You may want to consider using Minishift instead of oc cluster up as it from memory gives the developer user sudoer role by default and so can use --as system:admin to execute admin commands.

Graham Dumpleton
  • 57,726
  • 6
  • 119
  • 134
  • Hi Graham, I tried the command, but it shows the message: "Error response from daemon: Container 56dde33eb4dd822191155b2d109f9e03bf9777c198f92f7dcda38144ea994a23 is not running". Can you help me? – Carlos Alberto Jul 08 '17 at 22:18
  • 1
    This should be obvious but I will state it anyway - do not run these commands on a production cluster since they effectively disable authorization. – monis Jul 08 '17 at 22:45
  • Yes, I agree. Running on my desktop to try out containers, as many in Docker hub runs as root. – Carlos Alberto Jul 08 '17 at 22:58
  • @Graham, I installed minishift and executed the command as you said and worked!! "oc --as system:admin adm policy add-scc-to-user anyuid -z default". Tks! – Carlos Alberto Jul 08 '17 at 23:15
  • 1
    @enj You are using the wrong term in saying it 'disables authorization'. That is a confusing way of explaining what it does. That command will for that one project allow applications running as the default service account, to run as any user ID. It doesn't alter what a normal user can do in a project, nor does it alter what an application can do in the cluster via the REST API. How you describe it makes it sound much worse than it is. – Graham Dumpleton Jul 09 '17 at 06:05
  • That said, it should not be done unless you have a specific need. In this case they made it clear they were working in ``oc cluster up``, which means you have some measure of control over the host anyway. – Graham Dumpleton Jul 09 '17 at 06:06
  • @CarlosAlberto You have to run the first command after ``oc cluster up`` is run. It sounds like you had it shutdown at the time. – Graham Dumpleton Jul 09 '17 at 06:07
  • @GrahamDumpleton I stand by what I said as I was referring to `oc adm policy add-cluster-role-to-group sudoer system:authenticated` and not the bits about SCC. Letting any logged in user impersonate the cluster admin does effectively disable authorization. – monis Jul 10 '17 at 15:00
  • Again, they were using ``oc cluster up`` on a personal system. Using ``sudoer`` role is better than giving ``cluster-admin`` role as ``sudoer`` role at least requires a separate action. – Graham Dumpleton Jul 10 '17 at 21:05
  • the first two docker commands didn't work for me due to certificate, but after all the third, direct command line approach worked – FantomX1 Apr 29 '18 at 22:12
3

I could not apply the configuration command until issuing command for logging with admin rights

oc login -u system:admin -n default

afterwards the well-known upper, (for my case without "docker prefix"), on the command line with openshift - "oc" command line utils, worked

oc adm policy add-scc-to-user anyuid -z default -n projectname
FantomX1
  • 1,577
  • 2
  • 15
  • 23