Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20469

[doc]The users and groups fields are legacy fields, access to SCCs is driven by RBAC

XMLWordPrintable

    • Important
    • No
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

      Description of problem:

      In https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#security-context-constraints-example_configuring-internal-oauth , it says:

      4,  The groups that can access this SCC. 

      9,  The users who can access this SCC.

      "The users and groups fields on the SCC control which users can access the SCC. " 

      In https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#examining-a-security-context-constraints-object_configuring-internal-oauth , it says:

      1, Lists which users and service accounts the SCC is applied to.
      2, Lists which groups the SCC is applied to.

      But, actually, The `users` and `groups` fields are legacy fields, access to SCCs is driven by RBAC, see: https://redhat-internal.slack.com/archives/CH76YSYSC/p1697020909456579?thread_ts=1697018959.564269&cid=CH76YSYSC 

      For example, no users were added into the Users filed,

      version   4.14.0-0.nightly-2023-10-10-084534
1, describe the SCC datadog, as follows,
MacBook-Pro:~ jianzhang$ oc describe  scc  datadog 
Name:						datadog
Priority:					8
Access:						
  Users:					system:serviceaccount:datadog:datadog
  Groups:					<none>
...

2, add a new SA to this SCC
MacBook-Pro:~ jianzhang$ oc project 
Using project "openshift-operator-lifecycle-manager" on server "https://api.qe-daily-414-1011.qe.devcluster.openshift.com:6443".
MacBook-Pro:~ jianzhang$ oc get sa 
NAME                          SECRETS   AGE
builder                       1         10h
collect-profiles              1         10h
default                       1         10h
deployer                      1         10h
olm-operator-serviceaccount   1         10h
MacBook-Pro:~ jianzhang$ oc adm policy add-scc-to-user datadog -z olm-operator-serviceaccount
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:datadog added: "olm-operator-serviceaccount"

3, that olm-operator-serviceaccount wasn't list in this `Users` filed.
MacBook-Pro:~ jianzhang$ oc describe  scc  datadog 
Name:						datadog
Priority:					8
Access:						
  Users:					system:serviceaccount:datadog:datadog
  Groups:					<none>

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      always

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

       

      Expected results:

      Removed related Users and Fileds introduction, and add this: "The users and groups fields are legacy fields, access to SCCs is driven by RBAC(https://docs.openshift.com/container-platform/4.13/authentication/managing-security-context-constraints.html#role-based-access-to-ssc_configuring-internal-oauth)".

       

      Additional info:

       

            ocp-docs-bot OCP DocsBot
            rhn-support-jiazha Jian Zhang
            Xingxing Xia Xingxing Xia
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: