- login as unprivileged user ~~~ $ https://oauth-openshift.apps.sno.laptop/oauth/token/request $ oc login --token=sha256~nmqCC9xcKikiAxALnzzat1zluH5qS02rDOypnxI3_cM --server=https://api.sno.laptop:6443 $ oc whoami ~~~ - Create a nginx basic deployment ~~~ $ oc new-project scc-nginx # The pod will crashloop backoff $ oc apply --filename nginx-deployment-1.yml ~~~ - Try to give more privileges to the nginx container ~~~ $ oc apply --filename nginx-deployment-2.yml ~~~ - But notice how is it failing with ~~~ $ oc describe replicaset ~~~ - As admin, show which scc would have been needed: ~~~ $ KUBECONFIG=$HOME/.kube/sno oc adm policy scc-subject-review -f nginx-deployment-2.yml ~~~ - Create a new service account, add the anyuid scc to the new service account, use the new service account in the deployment ~~~ $ oc create serviceaccount nginx-deployer $ KUBECONFIG=$HOME/.kube/sno oc adm policy add-scc-to-user --namespace scc-nginx anyuid --serviceaccount nginx-deployer $ oc describe rolebinding system:openshift:scc:anyuid $ oc apply --filename nginx-deployment-3.yml ~~~ - Verify I have access: ~~~ $ oc adm policy scc-subject-review -f nginx-deployment-3.yml ~~~ - Notice this is still failing ~~~ $ oc run crashloop --image docker.io/library/nginx@sha256:f77fba73158d2e3372f16d367baa82ff2273d6462370f2d072e8abfec0c9d974 ~~~