Role-based Access Control (RBAC) objects determine whether a user is allowed to perform a given action within a project.
It allows developers to use local roles and bindings to control who has access to their projects. Note that authorization is a separate step from authentication, which is more about determining the identity of who is taking the action.
Authorization is managed using:
Sets of permitted verbs on a set of
objects. For example, whether something can
|
|
Collections of rules. Users and groups can be associated with, or bound to, multiple roles at the same time. |
|
Associations between users and/or groups with a role. |
The relationships between cluster roles, local roles, cluster role bindings, local role bindings, users, groups and service accounts are illustrated below.
Several factors are combined to make the decision when OpenShift Dedicated evaluates authorization:
In the context of authorization, both the user name and list of groups the user belongs to. |
|||||||
The action being performed. In most cases, this consists of:
|
|||||||
Bindings |
The full list of bindings. |
OpenShift Dedicated evaluates authorizations using the following steps:
The identity and the project-scoped action is used to find all bindings that apply to the user or their groups.
Bindings are used to locate all the roles that apply.
Roles are used to find all the rules that apply.
The action is checked against each rule to find a match.
If no matching rule is found, the action is then denied by default.
There are two levels of RBAC roles and bindings that control authorization:
Cluster RBAC |
Roles and bindings that are applicable across all projects. Roles that exist cluster-wide are considered cluster roles. Cluster role bindings can only reference cluster roles. |
Local RBAC |
Roles and bindings that are scoped to a given project. Roles that exist only in a project are considered local roles. Local role bindings can reference both cluster and local roles. |
This two-level hierarchy allows re-usability over multiple projects through the cluster roles while allowing customization inside of individual projects through local roles.
During evaluation, both the cluster role bindings and the local role bindings are used. For example:
Cluster-wide "allow" rules are checked.
Locally-bound "allow" rules are checked.
Deny by default.
Roles are collections of policy rules, which are sets of permitted verbs that can be performed on a set of resources. OpenShift Dedicated includes a set of default cluster roles that can be bound to users and groups cluster wide or locally.
Default Cluster Role | Description |
---|---|
admin |
A project manager. If used in a local binding, an admin user will have rights to view any resource in the project and modify any resource in the project except for quota. |
basic-user |
A user that can get basic information about projects and users. |
cluster-admin |
A super-user that can perform any action in any project. When bound to a user with a local binding, they have full control over quota and every action on every resource in the project. |
cluster-status |
A user that can get basic cluster status information. |
edit |
A user that can modify most objects in a project, but does not have the power to view or modify roles or bindings. |
self-provisioner |
A user that can create their own projects. |
view |
A user who cannot make any modifications, but can see most objects in a project. They cannot view or modify roles or bindings. |
cluster-reader |
A user who can read, but not view, objects in the cluster. |
Remember that users and groups can be associated with, or bound to, multiple roles at the same time. |
Project administrators can visualize roles, including a matrix of the verbs and resources each are associated using the CLI to view local bindings.
The cluster role bound to the project administrator is limited in a project via a local binding. It is not bound cluster-wide like the cluster roles granted to the cluster-admin or system:admin. Cluster roles are roles defined at the cluster level, but can be bound either at the cluster level or at the project level. |
In addition to the RBAC resources that control what a user can do, OpenShift Dedicated provides security context constraints (SCC) that control the actions that a pod can perform and what it has the ability to access. Administrators can manage SCCs using the CLI.
SCCs are also very useful for managing access to persistent storage.
SCCs are objects that define a set of conditions that a pod must run with in order to be accepted into the system. They allow an administrator to control the following:
Running of privileged containers.
Capabilities a container can request to be added.
Use of host directories as volumes.
The SELinux context of the container.
The user ID.
The use of host namespaces and networking.
Allocating an FSGroup
that owns the pod’s volumes
Configuring allowable supplemental groups
Requiring the use of a read only root file system
Controlling the usage of volume types
Configuring allowable seccomp profiles
Seven SCCs are added to the cluster by default, and are viewable by cluster administrators using the CLI:
$ oc get scc
NAME PRIV CAPS SELINUX RUNASUSER FSGROUP SUPGROUP PRIORITY READONLYROOTFS VOLUMES
anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny 10 false [configMap downwardAPI emptyDir persistentVolumeClaim secret]
hostaccess false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir hostPath persistentVolumeClaim secret]
hostmount-anyuid false [] MustRunAs RunAsAny RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim secret]
hostnetwork false [] MustRunAs MustRunAsRange MustRunAs MustRunAs <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]
nonroot false [] MustRunAs MustRunAsNonRoot RunAsAny RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]
privileged true [*] RunAsAny RunAsAny RunAsAny RunAsAny <none> false [*]
restricted false [] MustRunAs MustRunAsRange MustRunAs RunAsAny <none> false [configMap downwardAPI emptyDir persistentVolumeClaim secret]
Do not modify the default SCCs. Customizing the default SCCs can lead to issues when OpenShift Dedicated is upgraded. |
The definition for each SCC is also viewable by cluster administrators using the CLI. For example, for the privileged SCC:
$ oc get -o yaml --export scc/privileged
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
allowPrivilegedContainer: true
allowedCapabilities: (1)
- '*'
apiVersion: v1
defaultAddCapabilities: [] (2)
fsGroup: (3)
type: RunAsAny
groups: (4)
- system:cluster-admins
- system:nodes
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: 'privileged allows access to all privileged and host
features and the ability to run as any user, any group, any fsGroup, and with
any SELinux context. WARNING: this is the most relaxed SCC and should be used
only for cluster administration. Grant with caution.'
creationTimestamp: null
name: privileged
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: [] (5)
runAsUser: (6)
type: RunAsAny
seLinuxContext: (7)
type: RunAsAny
seccompProfiles:
- '*'
supplementalGroups: (8)
type: RunAsAny
users: (9)
- system:serviceaccount:default:registry
- system:serviceaccount:default:router
- system:serviceaccount:openshift-infra:build-controller
volumes:
- '*'
1 | A list of capabilities that can be requested by a pod. An empty list means
that none of capabilities can be requested while the special symbol *
allows any capabilities. |
2 | A list of additional capabilities that will be added to any pod. |
3 | The FSGroup strategy which dictates the allowable values for the
Security Context. |
4 | The groups that have access to this SCC. |
5 | A list of capabilities that will be dropped from a pod. |
6 | The run as user strategy type which dictates the allowable values for the Security Context. |
7 | The SELinux context strategy type which dictates the allowable values for the Security Context. |
8 | The supplemental groups strategy which dictates the allowable supplemental groups for the Security Context. |
9 | The users who have access to this SCC. |
The users
and groups
fields on the SCC control which SCCs can be used.
By default, cluster administrators, nodes, and the build controller are granted
access to the privileged SCC. All authenticated users are granted access to the
restricted SCC.
Docker has a
default
list of capabilities that are allowed for each container of a pod. The
containers use the capabilities from this default list, but pod manifest authors
can alter it by requesting additional capabilities or dropping some of
defaulting. The allowedCapabilities
, defaultAddCapabilities
, and
requiredDropCapabilities
fields are used to control such requests from the
pods, and to dictate which capabilities can be requested, which ones must be
added to each container, and which ones must be forbidden.
The privileged SCC:
allows privileged pods.
allows host directories to be mounted as volumes.
allows a pod to run as any user.
allows a pod to run with any MCS label.
allows a pod to use the host’s IPC namespace.
allows a pod to use the host’s PID namespace.
allows a pod to use any FSGroup.
allows a pod to use any supplemental group.
allows a pod to use any seccomp profiles.
allows a pod to request any capabilities.
The restricted SCC:
ensures pods cannot run as privileged.
ensures pods cannot use host directory volumes.
requires that a pod run as a user in a pre-allocated range of UIDs.
requires that a pod run with a pre-allocated MCS label.
allows a pod to use any FSGroup.
allows a pod to use any supplemental group.
For more information about each SCC, see the kubernetes.io/description annotation available on the SCC. |
SCCs are comprised of settings and strategies that control the security features a pod has access to. These settings fall into three categories:
Controlled by a boolean |
Fields of this type default to the most restrictive value. For example,
|
Controlled by an allowable set |
Fields of this type are checked against the set to ensure their value is allowed. |
Controlled by a strategy |
Items that have a strategy to generate a value provide:
|
MustRunAs - Requires a runAsUser
to be configured. Uses the configured
runAsUser
as the default. Validates against the configured runAsUser
.
MustRunAsRange - Requires minimum and maximum values to be defined if not using pre-allocated values. Uses the minimum as the default. Validates against the entire allowable range.
MustRunAsNonRoot - Requires that the pod be submitted with a non-zero
runAsUser
or have the USER
directive defined in the image. No default
provided.
RunAsAny - No default provided. Allows any runAsUser
to be specified.
MustRunAs - Requires seLinuxOptions
to be configured if not using
pre-allocated values. Uses seLinuxOptions
as the default. Validates against
seLinuxOptions
.
RunAsAny - No default provided. Allows any seLinuxOptions
to be
specified.
The usage of specific volume types can be controlled by setting the volumes
field of the SCC. The allowable values of this field correspond to the volume
sources that are defined when creating a volume:
cinder
configMap
photonPersistentDisk
* (a special value to allow the use of all volume types)
none (a special value to disallow the use of all volumes types. Exist only for backwards compatibility)
The recommended minimum set of allowed volumes for new SCCs are configMap, downwardAPI, emptyDir, persistentVolumeClaim, secret, and projected.
The list of allowable volume types is not exhaustive because new types are added with each release of OpenShift Dedicated. |
For backwards compatibility, the usage of |
OpenShift Dedicated provides additional control of FlexVolumes based on their
driver. When SCC allows the usage of FlexVolumes, pods can request any
FlexVolumes. However, when the cluster administrator specifies driver names in
the AllowedFlexVolumes
field, pods must only use FlexVolumes with these
drivers.
volumes:
- flexVolume
allowedFlexVolumes:
- driver: example/lvm
- driver: example/cifs
SeccompProfiles lists the allowed profiles that can be set for the pod or
container’s seccomp annotations. An unset (nil) or empty value means that no
profiles are specified by the pod or container. Use the wildcard *
to allow
all profiles. When used to generate a value for a pod, the first non-wildcard
profile is used as the default.
Admission control with SCCs allows for control over the creation of resources based on the capabilities granted to a user.
In terms of the SCCs, this means that an admission controller can inspect the user information made available in the context to retrieve an appropriate set of SCCs. Doing so ensures the pod is authorized to make requests about its operating environment or to generate a set of constraints to apply to the pod.
The set of SCCs that admission uses to authorize a pod are determined by the user identity and groups that the user belongs to. Additionally, if the pod specifies a service account, the set of allowable SCCs includes any constraints accessible to the service account.
Admission uses the following approach to create the final security context for the pod:
Retrieve all SCCs available for use.
Generate field values for security context settings that were not specified on the request.
Validate the final settings against the available constraints.
If a matching set of constraints is found, then the pod is accepted. If the request cannot be matched to an SCC, the pod is rejected.
A pod must validate every field against the SCC. The following are examples for just two of the fields that must be validated:
These examples are in the context of a strategy using the preallocated values. |
A FSGroup SCC Strategy of MustRunAs
If the pod defines a fsGroup
ID, then that ID must equal the default
fsGroup
ID. Otherwise, the pod is not validated by that SCC and the next SCC
is evaluated.
If the SecurityContextConstraints.fsGroup
field has value RunAsAny
and the pod specification omits the Pod.spec.securityContext.fsGroup
,
then this field is considered valid. Note that it is possible that during
validation, other SCC settings will reject other pod fields and thus cause the
pod to fail.
A SupplementalGroups SCC Strategy of MustRunAs
If the pod specification defines one or more supplementalGroups
IDs, then
the pod’s IDs must equal one of the IDs in the namespace’s
openshift.io/sa.scc.supplemental-groups annotation. Otherwise, the pod is not
validated by that SCC and the next SCC is evaluated.
If the SecurityContextConstraints.supplementalGroups
field has value RunAsAny
and the pod specification omits the Pod.spec.securityContext.supplementalGroups
,
then this field is considered valid. Note that it is possible that during
validation, other SCC settings will reject other pod fields and thus cause the
pod to fail.
SCCs have a priority field that affects the ordering when attempting to validate a request by the admission controller. A higher priority SCC is moved to the front of the set when sorting. When the complete set of available SCCs are determined they are ordered by:
Highest priority first, nil is considered a 0 priority
If priorities are equal, the SCCs will be sorted from most restrictive to least restrictive
If both priorities and restrictions are equal the SCCs will be sorted by name
By default, the anyuid SCC granted to cluster administrators is given priority
in their SCC set. This allows cluster administrators to run pods as any
user by without specifying a RunAsUser
on the pod’s SecurityContext
. The
administrator may still specify a RunAsUser
if they wish.
Starting with OpenShift Dedicated 3.11, you can specify SCCs as a resource that is handled by RBAC. This allows you to scope access to your SCCs to a certain project or to the entire cluster. Assigning users, groups or service accounts directly to an SCC retains cluster-wide scope.
To include access to SCCs for your role, you specify the following rule in the definition of the role: .Role-Based Access to SCCs
rules:
- apiGroups:
- security.openshift.io (1)
resources:
- securitycontextconstraints (2)
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
resourceNames:
- myPermittingSCC (3)
1 | The API group that includes the securitycontextconstraints resource |
2 | Name of the resource group that allows users to specify SCC names in the
resourceNames field |
3 | An example name for an SCC you want to give access to |
A local or cluster role with such a rule allows the subjects that are bound to it with a rolebinding or a clusterrolebinding to use the user-defined SCC called myPermittingSCC.
Because RBAC is designed to prevent escalation, even project administrators will be unable to grant access to an SCC because they are not allowed, by default, to use the verb use on SCC resources, including the restricted SCC. |
The admission controller is aware of certain conditions in the security context constraints that trigger it to look up pre-allocated values from a namespace and populate the security context constraint before processing the pod. Each SCC strategy is evaluated independently of other strategies, with the pre-allocated values (where allowed) for each policy aggregated with pod specification values to make the final values for the various IDs defined in the running pod.
The following SCCs cause the admission controller to look for pre-allocated values when no ranges are defined in the pod specification:
A RunAsUser
strategy of MustRunAsRange with no minimum or maximum set.
Admission looks for the openshift.io/sa.scc.uid-range annotation to populate
range fields.
An SELinuxContext
strategy of MustRunAs with no level set. Admission
looks for the openshift.io/sa.scc.mcs annotation to populate the level.
A FSGroup
strategy of MustRunAs. Admission looks for the
openshift.io/sa.scc.supplemental-groups annotation.
A SupplementalGroups
strategy of MustRunAs. Admission looks for the
openshift.io/sa.scc.supplemental-groups annotation.
During the generation phase, the security context provider will default any values that are not specifically set in the pod. Defaulting is based on the strategy being used:
RunAsAny
and MustRunAsNonRoot
strategies do not provide default
values. Thus, if the pod needs a field defined (for example, a group ID), this
field must be defined inside the pod specification.
MustRunAs
(single value) strategies provide a default value which is
always used. As an example, for group IDs: even if the pod specification defines
its own ID value, the namespace’s default field will also appear in the pod’s
groups.
MustRunAsRange
and MustRunAs
(range-based) strategies provide the
minimum value of the range. As with a single value MustRunAs
strategy, the
namespace’s default value will appear in the running pod. If a range-based
strategy is configurable with multiple ranges, it will provide the minimum value
of the first configured range.
|
By default, the annotation-based |
The openshift.io/sa.scc.supplemental-groups annotation accepts a comma
delimited list of blocks in the format of |