Find the Best Cosmetic Hospitals

Explore trusted cosmetic hospitals and make a confident choice for your transformation.

โ€œInvest in yourself โ€” your confidence is always worth it.โ€

Explore Cosmetic Hospitals

Start your journey today โ€” compare options in one place.

What are Security Context Constraints (SCC) in OpenShift?

๐Ÿ” What are Security Context Constraints (SCC) in OpenShift?

Security Context Constraints (SCC) are OpenShiftโ€™s mechanism for controlling security-sensitive aspects of how containers run in the cluster. SCCs define a set of rules that govern what actions a pod or container can perform and what privileges it can have.

They are a powerful RBAC + security enforcement layer, unique to OpenShift, built to enforce strong multi-tenancy and non-root container execution โ€” making it more secure than vanilla Kubernetes by default.


๐Ÿšง Why SCCs Matter

By default, OpenShift enforces non-root, least privilege principles through SCCs. This prevents containers from:

  • Running as the root user
  • Mounting host paths
  • Running privileged containers
  • Escaping the container isolation

This protects the cluster from poorly configured or potentially malicious workloads.


๐Ÿงฑ Key Features of SCC

SCC AttributeWhat It Does
runAsUserControls if the pod can run as root or must use a specific UID
seLinuxContextDefines SELinux labels that must be applied to containers
allowPrivilegedContainerDetermines whether a pod can request privileged mode
volumesLimits which volume types (e.g., hostPath, PVC) a pod can mount
allowHostNetworkDetermines if a pod can use the hostโ€™s network namespace
allowHostPID/IPCControls access to the hostโ€™s PID or IPC namespaces
readOnlyRootFilesystemForces the container to use a read-only root filesystem

๐Ÿงฉ Default SCCs in OpenShift

SCC NameUse CaseAllows Running as Root?Privileged?
restrictedDefault for most usersโŒ NoโŒ No
anyuidFor workloads that require rootโœ… YesโŒ No
privilegedFor system-level workloadsโœ… Yesโœ… Yes
hostaccessAllows host network and volumesโœ… YesโŒ No
nonrootMust run as non-root explicitlyโŒ NoโŒ No
baseline (v4.x+)Common for unprivileged workloadsโŒ NoโŒ No

You can view all SCCs in your cluster with:

oc get scc
Code language: JavaScript (javascript)

And inspect details with:

oc describe scc restricted

๐Ÿ”‘ Binding SCCs to Users/Service Accounts

OpenShift assigns SCCs using RBAC bindings to users, groups, or service accounts. Example:

oc adm policy add-scc-to-user anyuid -z myserviceaccount -n mynamespace

This allows your pod to run under the anyuid SCC โ€” enabling it to run as root, if required.


โš ๏ธ Common SCC-Related Errors

  • “permission denied” when trying to bind to port < 1024 โ†’ likely due to restricted SCC not allowing root.
  • “hostPath volume mounts are not allowed” โ†’ SCC does not permit hostPath volume type.
  • Container fails to start due to UID mismatch โ†’ Pod expected to run with a specific UID or non-root.

โœ… Best Practices

  • Stick with the restricted SCC whenever possible.
  • Avoid using anyuid or privileged unless absolutely necessary.
  • Use custom SCCs for edge cases (e.g., to allow hostPath volumes or specific capabilities).
  • Always audit SCC use for security compliance.

Find Trusted Cardiac Hospitals

Compare heart hospitals by city and services โ€” all in one place.

Explore Hospitals
Iโ€™m a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at <a href="https://www.cotocus.com/">Cotocus</a>. I share tech blog at <a href="https://www.devopsschool.com/">DevOps School</a>, travel stories at <a href="https://www.holidaylandmark.com/">Holiday Landmark</a>, stock market tips at <a href="https://www.stocksmantra.in/">Stocks Mantra</a>, health and fitness guidance at <a href="https://www.mymedicplus.com/">My Medic Plus</a>, product reviews at <a href="https://www.truereviewnow.com/">TrueReviewNow</a> , and SEO strategies at <a href="https://www.wizbrand.com/">Wizbrand.</a> Do you want to learn <a href="https://www.quantumuting.com/">Quantum Computing</a>? <strong>Please find my social handles as below;</strong> <a href="https://www.rajeshkumar.xyz/">Rajesh Kumar Personal Website</a> <a href="https://www.youtube.com/TheDevOpsSchool">Rajesh Kumar at YOUTUBE</a> <a href="https://www.instagram.com/rajeshkumarin">Rajesh Kumar at INSTAGRAM</a> <a href="https://x.com/RajeshKumarIn">Rajesh Kumar at X</a> <a href="https://www.facebook.com/RajeshKumarLog">Rajesh Kumar at FACEBOOK</a> <a href="https://www.linkedin.com/in/rajeshkumarin/">Rajesh Kumar at LINKEDIN</a> <a href="https://www.wizbrand.com/rajeshkumar">Rajesh Kumar at WIZBRAND</a> <a href="https://www.rajeshkumar.xyz/dailylogs">Rajesh Kumar DailyLogs</a>

Related Posts

Best DevOps Tools in 2024

hereโ€™s a clear, structured breakdown of the Best DevOps Tools (grouped by categories), so you can use it for learning, training, or posts. ๐Ÿš€ Best DevOps Tools…

Read More

OpenShift Tutorial โ€“ Deploy and Access Your First Applications using OpenShift Local

How to install oc? OpenShift: How to Install OpenShift CLI oc How to login? Login to the Openshift using Web Console and CLI using oc Copy the admin…

Read More

OpenShift Lab 14: Setting Up and Using OpenShift Serverless Functions on OpenShift Local

Lab Objective In this lab, you will install and use OpenShift Serverless Functions on OpenShift Local. You will create a simple Node.js serverless function, deploy it to…

Read More

OpenShift Lab 13: Deploy a Java Spring Boot Application with MySQL Using the OpenShift Web Console

Lab Objective In this lab, you will deploy a Java Spring Boot application on OpenShift using the OpenShift web console. You will deploy two components: The Java…

Read More

OpenShift Lab 12: Deploy an Application from an Existing Container Image Using the OpenShift Web Console

Lab Objective In this lab, you will deploy an application on OpenShift from an existing container image. This lab is different from building an application from source…

Read More

OpenShift: How to Install OpenShift CLIย oc

Option – 1 – REDHAT Websites URL – https://access.redhat.com/downloads/content/290/ver=4.18/rhel—9/4.18.11/x86_64/product-software Option – 2 – OKD Websites The OKD (Origin Community Distribution of Kubernetes for OpenShift) is the open-source…

Read More
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
0
Would love your thoughts, please comment.x
()
x