Security context constraints
Before we start, let's bring up MiniShift environment again:
$ minishift start --openshift-version 3.9.0 --vm-driver virtualbox
...
<output omitted>
...
Another mechanism for controlling the behavior of pods is security context constraints (SCCs). These cluster-level resources define what resources can be accessed by pods and provide an additional level of control. By default, OpenShift supports seven SCCs:
$ oc login -u system:admin ... <output omitted> ... $ oc get scc anyuid ... hostaccess ... hostmount-anyuid ... hostnetwork ... nonroot ... privileged ... restricted ...
You may notice anyuid
SCC we used in the subsection "Creating custom roles" to solve the problem with container's permissions.
By default, all pods, except those for builds and deployments, use a default
service account assigned by the restricted
SCC, which doesn't allow privileged containers – that is, those...