{"id":49282,"date":"2025-05-05T14:37:31","date_gmt":"2025-05-05T14:37:31","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=49282"},"modified":"2025-07-12T05:56:32","modified_gmt":"2025-07-12T05:56:32","slug":"what-are-security-context-constraints-scc-in-openshift","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/what-are-security-context-constraints-scc-in-openshift\/","title":{"rendered":"What are Security Context Constraints (SCC) in OpenShift?"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">\ud83d\udd10 What are Security Context Constraints (SCC) in OpenShift?<\/h3>\n\n\n\n<p><strong>Security Context Constraints (SCC)<\/strong> are OpenShift\u2019s mechanism for controlling <strong>security-sensitive aspects<\/strong> of how containers run in the cluster. SCCs define a set of rules that govern what actions a <strong>pod<\/strong> or <strong>container<\/strong> can perform and what privileges it can have.<\/p>\n\n\n\n<p>They are a powerful <strong>RBAC + security enforcement layer<\/strong>, unique to OpenShift, built to enforce <strong>strong multi-tenancy and non-root container execution<\/strong> \u2014 making it more secure than vanilla Kubernetes by default.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udea7 Why SCCs Matter<\/h3>\n\n\n\n<p>By default, OpenShift enforces <strong>non-root, least privilege<\/strong> principles through SCCs. This prevents containers from:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Running as the root user<\/li>\n\n\n\n<li>Mounting host paths<\/li>\n\n\n\n<li>Running privileged containers<\/li>\n\n\n\n<li>Escaping the container isolation<\/li>\n<\/ul>\n\n\n\n<p>This protects the cluster from poorly configured or potentially malicious workloads.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\uddf1 Key Features of SCC<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>SCC Attribute<\/strong><\/th><th><strong>What It Does<\/strong><\/th><\/tr><\/thead><tbody><tr><td><code>runAsUser<\/code><\/td><td>Controls if the pod can run as root or must use a specific UID<\/td><\/tr><tr><td><code>seLinuxContext<\/code><\/td><td>Defines SELinux labels that must be applied to containers<\/td><\/tr><tr><td><code>allowPrivilegedContainer<\/code><\/td><td>Determines whether a pod can request privileged mode<\/td><\/tr><tr><td><code>volumes<\/code><\/td><td>Limits which volume types (e.g., hostPath, PVC) a pod can mount<\/td><\/tr><tr><td><code>allowHostNetwork<\/code><\/td><td>Determines if a pod can use the host\u2019s network namespace<\/td><\/tr><tr><td><code>allowHostPID\/IPC<\/code><\/td><td>Controls access to the host\u2019s PID or IPC namespaces<\/td><\/tr><tr><td><code>readOnlyRootFilesystem<\/code><\/td><td>Forces the container to use a read-only root filesystem<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\udde9 Default SCCs in OpenShift<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><strong>SCC Name<\/strong><\/th><th><strong>Use Case<\/strong><\/th><th><strong>Allows Running as Root?<\/strong><\/th><th><strong>Privileged?<\/strong><\/th><\/tr><\/thead><tbody><tr><td><code>restricted<\/code><\/td><td>Default for most users<\/td><td>\u274c No<\/td><td>\u274c No<\/td><\/tr><tr><td><code>anyuid<\/code><\/td><td>For workloads that <strong>require root<\/strong><\/td><td>\u2705 Yes<\/td><td>\u274c No<\/td><\/tr><tr><td><code>privileged<\/code><\/td><td>For system-level workloads<\/td><td>\u2705 Yes<\/td><td>\u2705 Yes<\/td><\/tr><tr><td><code>hostaccess<\/code><\/td><td>Allows host network and volumes<\/td><td>\u2705 Yes<\/td><td>\u274c No<\/td><\/tr><tr><td><code>nonroot<\/code><\/td><td>Must run as non-root explicitly<\/td><td>\u274c No<\/td><td>\u274c No<\/td><\/tr><tr><td><code>baseline<\/code> (v4.x+)<\/td><td>Common for unprivileged workloads<\/td><td>\u274c No<\/td><td>\u274c No<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>You can view all SCCs in your cluster with:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">oc <span class=\"hljs-keyword\">get<\/span> scc\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>And inspect details with:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">oc describe scc restricted\n<\/code><\/span><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd11 Binding SCCs to Users\/Service Accounts<\/h3>\n\n\n\n<p>OpenShift assigns SCCs using <strong>RBAC bindings<\/strong> to users, groups, or service accounts. Example:<\/p>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">oc adm policy add-scc-to-user anyuid -z myserviceaccount -n mynamespace\n<\/code><\/span><\/pre>\n\n\n<p>This allows your pod to run under the <code>anyuid<\/code> SCC \u2014 enabling it to run as root, if required.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u26a0\ufe0f Common SCC-Related Errors<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>&#8220;permission denied&#8221;<\/strong> when trying to bind to port &lt; 1024 \u2192 likely due to <code>restricted<\/code> SCC not allowing root.<\/li>\n\n\n\n<li><strong>&#8220;hostPath volume mounts are not allowed&#8221;<\/strong> \u2192 SCC does not permit hostPath volume type.<\/li>\n\n\n\n<li><strong>Container fails to start due to UID mismatch<\/strong> \u2192 Pod expected to run with a specific UID or non-root.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">\u2705 Best Practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Stick with the <strong><code>restricted<\/code><\/strong> SCC whenever possible.<\/li>\n\n\n\n<li>Avoid using <code>anyuid<\/code> or <code>privileged<\/code> unless absolutely necessary.<\/li>\n\n\n\n<li>Use <strong>custom SCCs<\/strong> for edge cases (e.g., to allow <code>hostPath<\/code> volumes or specific capabilities).<\/li>\n\n\n\n<li>Always audit SCC use for security compliance.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ud83d\udd10 What are Security Context Constraints (SCC) in OpenShift? Security Context Constraints (SCC) are OpenShift\u2019s mechanism for controlling security-sensitive aspects of how containers run in the cluster. SCCs define a&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[5153],"tags":[],"class_list":["post-49282","post","type-post","status-publish","format-standard","hentry","category-openshift"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=49282"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49282\/revisions"}],"predecessor-version":[{"id":49283,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/49282\/revisions\/49283"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=49282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=49282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=49282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}