๐ What are Security Context Constraints (SCC) in OpenShift?
Security Context Constraints (SCC) are OpenShiftโs mechanism for controlling security-sensitive aspects of how containers run in the cluster. SCCs define a set of rules that govern what actions a pod or container can perform and what privileges it can have.
They are a powerful RBAC + security enforcement layer, unique to OpenShift, built to enforce strong multi-tenancy and non-root container execution โ making it more secure than vanilla Kubernetes by default.
๐ง Why SCCs Matter
By default, OpenShift enforces non-root, least privilege principles through SCCs. This prevents containers from:
- Running as the root user
- Mounting host paths
- Running privileged containers
- Escaping the container isolation
This protects the cluster from poorly configured or potentially malicious workloads.
๐งฑ Key Features of SCC
| SCC Attribute | What It Does |
|---|---|
runAsUser | Controls if the pod can run as root or must use a specific UID |
seLinuxContext | Defines SELinux labels that must be applied to containers |
allowPrivilegedContainer | Determines whether a pod can request privileged mode |
volumes | Limits which volume types (e.g., hostPath, PVC) a pod can mount |
allowHostNetwork | Determines if a pod can use the hostโs network namespace |
allowHostPID/IPC | Controls access to the hostโs PID or IPC namespaces |
readOnlyRootFilesystem | Forces the container to use a read-only root filesystem |
๐งฉ Default SCCs in OpenShift
| SCC Name | Use Case | Allows Running as Root? | Privileged? |
|---|---|---|---|
restricted | Default for most users | โ No | โ No |
anyuid | For workloads that require root | โ Yes | โ No |
privileged | For system-level workloads | โ Yes | โ Yes |
hostaccess | Allows host network and volumes | โ Yes | โ No |
nonroot | Must run as non-root explicitly | โ No | โ No |
baseline (v4.x+) | Common for unprivileged workloads | โ No | โ No |
You can view all SCCs in your cluster with:
oc get scc
Code language: JavaScript (javascript)And inspect details with:
oc describe scc restricted
๐ Binding SCCs to Users/Service Accounts
OpenShift assigns SCCs using RBAC bindings to users, groups, or service accounts. Example:
oc adm policy add-scc-to-user anyuid -z myserviceaccount -n mynamespace
This allows your pod to run under the anyuid SCC โ enabling it to run as root, if required.
โ ๏ธ Common SCC-Related Errors
- “permission denied” when trying to bind to port < 1024 โ likely due to
restrictedSCC not allowing root. - “hostPath volume mounts are not allowed” โ SCC does not permit hostPath volume type.
- Container fails to start due to UID mismatch โ Pod expected to run with a specific UID or non-root.
โ Best Practices
- Stick with the
restrictedSCC whenever possible. - Avoid using
anyuidorprivilegedunless absolutely necessary. - Use custom SCCs for edge cases (e.g., to allow
hostPathvolumes or specific capabilities). - Always audit SCC use for security compliance.
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals