OpenShift SCC Explained¶
Introduction¶
Security Context Constraints control what pods are allowed to do in OpenShift. SCC failures usually mention forbidden securityContext fields, UID ranges, host access, or privilege requests.
Core Concepts¶
OpenShift builds on Kubernetes with projects, Routes, ImageStreams, Builds, Operators, SCCs, and integrated platform administration.
Practical Examples¶
oc describe pod web-7c9d7f6f8b-jx4mk -n app
oc get scc restricted-v2 -o yaml
oc adm policy add-scc-to-user anyuid -z web-sa -n app
oc auth can-i use scc/anyuid --as=system:serviceaccount:app:web-sa
Example output:
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:anyuid added: "web-sa"
yes
Example YAML¶
apiVersion: v1
kind: Pod
metadata:
name: web
spec:
serviceAccountName: web-sa
containers:
- name: web
image: registry.access.redhat.com/ubi9/httpd-24
Verification¶
oc auth can-i use scc/anyuid --as=system:serviceaccount:app:web-sa
oc describe pod -l app=web -n app
Common Mistakes¶
- Granting privileged SCC when anyuid or a tighter custom SCC is enough.
- Granting SCC to a user instead of the service account used by the pod.
- Ignoring OpenShift default random UID behavior.
Quick Checklist¶
- Confirm the active project.
- Inspect the exact object named in the error.
- Read recent events.
- Apply one focused fix.
- Verify status after the change.
Related Guides¶
Summary¶
OpenShift SCC Explained is best understood through the OpenShift objects involved and the oc commands that verify their current state.