0

I would want to enable seccomp on my openshift v4.6 to use RuntimeDefault

  securityContext:
    seccompProfile:
      type: RuntimeDefault

when i run the command below i can see that i've allowPrivilegeEscalation set to true

$ oc get scc restricted 

allowPrivilegeEscalation: true
allowPrivilegeContainer: false

In my deployment yaml file i tried to defined the parameter to false securityContext: allowPrivilegeEscalation: false

However this does not change anything

Do i've to define a custom SecurityContextConstraints to overwrite the parameters ?

zyriuse
  • 73
  • 2
  • 10
  • Also have trouble understanding your issue: are you expecting the allowPrivilegeEscalation in the restricted scc to change, because you set allowPrivilegeEscalation to false in your deployment? – Fritz Duchardt Dec 09 '21 at 08:04

1 Answers1

0

I don't quite understand your question.

Regarding editing a SCC, or creating a new one, see: https://docs.openshift.com/container-platform/4.9/authentication/managing-security-context-constraints.html

Yes, you should always define a new SCC with the changes you want. It's strongly warned against editing any of the default SCCs in OpenShift.

The SCC controls what can be admitted to the cluster. If the SCCs available to you define "allowPrivilegeEscalation: true" then you can create pods with this either set to true or false. If it's set to "false" then you can only create pods with it set to false.

In your deployment configuration you can set a securityContext on either the podSpec or the containerSpec. Which one are you using? I recall in my testing there were different behaviours between them, but I can't remember the details off hand. tldr - if you're using one, try the other.

More importantly, how are you determining whether or not something changed? Again, in my testing I "oc debug node/ ..." and looked at crictl inspect to observe the effect of that securityContext being changed.

dbaker
  • 301
  • 1
  • 4