What Really Happens After SCC Admission in OpenShift?
The article discusses the intricacies of Security Context Constraints (SCC) in OpenShift and their role in managing container capabilities. It highlights a scenario where a development team encounters issues with ICMP ping health checks despite the SCC allowing the necessary capabilities. The author emphasizes that SCCs are admission-time gates and do not enforce runtime privileges, which can lead to misunderstandings among engineers.
- ▪Security Context Constraints (SCC) control the security configuration allowed in OpenShift clusters.
- ▪SCCs do not enforce runtime privileges; they only determine if a security configuration can be submitted.
- ▪The actual enforcement of capabilities occurs in a separate stack involving kubelet, CRI-O, and the Linux kernel.
Opening excerpt (first ~120 words) tap to expand
try { if(localStorage) { let currentUser = localStorage.getItem('current_user'); if (currentUser) { currentUser = JSON.parse(currentUser); if (currentUser.id === 3943457) { document.getElementById('article-show-container').classList.add('current-user-is-article-author'); } } } } catch (e) { console.error(e); } Nandan Hegde Posted on May 21 What Really Happens After SCC Admission in OpenShift? #kubernetes #linux #openshift #security A Debugging Story That Will Change How You Think About Container Capabilities You are a platform engineer running OpenShift. A development team runs a monitoring sidecar as a non-root user that needs to perform ICMP ping health checks. They need CAP_NET_RAW - the capability required for raw socket access. Straightforward enough.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at DEV.to (Top).
Discussion
0 commentsMore from DEV.to (Top)
