Skip to content

Commit ff5fd19

Browse files
ahardin-rhahardin-rh
authored
Merge pull request #5289 from php-coder/scc_request_privileged_mode
admin_guide/manage_scc: improve the steps for using the privileged SCC
2 parents 92040c2 + d7d4db1 commit ff5fd19

File tree

1 file changed

+15
-10
lines changed

1 file changed

+15
-10
lines changed

admin_guide/manage_scc.adoc

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -250,28 +250,30 @@ In some cases, an administrator might want to allow users or groups outside the
250250
administrator group access to create more _privileged pods_. To do so, you can:
251251

252252
. Determine the user or group you would like to have access to the SCC.
253+
+
254+
[WARNING]
255+
====
256+
Granting access to a user only works when the user directly creates a pod. For
257+
pods created on behalf of a user, **in most cases** by the system itself, **access
258+
should be given to a service account** under which related controller is operated
259+
upon. Examples of resources that create pods on behalf of a user are
260+
Deployments, StatefulSets, DaemonSets, etc.
261+
====
253262

254263
. Run:
255264
+
256265
----
257266
$ oc adm policy add-scc-to-user <scc_name> <user_name>
258267
$ oc adm policy add-scc-to-group <scc_name> <group_name>
259268
----
260-
269+
+
261270
For example, to allow the *e2e-user* access to the *privileged* SCC, run:
262-
271+
+
263272
----
264273
$ oc adm policy add-scc-to-user privileged e2e-user
265274
----
266275

267-
[WARNING]
268-
====
269-
Granting access to a user only works when the user directly creates a pod. For
270-
pods created on behalf of a user, in most cases by the system itself, access
271-
should be given to a service account under which related controller is operated
272-
upon. Examples of resources that create pods on behalf of a user are
273-
Deployments, StatefulSets, DaemonSets, etc.
274-
====
276+
. Modify `SecurityContext` of a container to request a privileged mode.
275277

276278
[[grant-a-service-account-access-to-the-privileged-scc]]
277279

@@ -295,6 +297,9 @@ account. To do so, set the `spec.serviceAccountName` field to a service account
295297
name. Leaving the service account name blank will result in the `default`
296298
service account being used.
297299

300+
Then, ensure that at least one of the pod's containers is requesting a
301+
privileged mode in the security context.
302+
298303
[[enable-images-to-run-with-user-in-the-dockerfile]]
299304

300305
=== Enable Images to Run with USER in the Dockerfile

0 commit comments

Comments
 (0)