OpenShift SCC: How to Resolve Pod Security Context Issues

techhadoop OCP

To troubleshoot SCC issues in OpenShift, usually start from the pod error and trace which ServiceAccount is trying to run the workload.

1. Check the pod error

oc describe pod <pod-name> -n <namespace>

Look for errors like:

unable to validate against any security context constraint
provider restricted-v2: ...
runAsUser: Invalid value
privileged containers are not allowed
hostPath volumes are not allowed
allowPrivilegeEscalation is not allowed

2. Check which ServiceAccount the pod uses

oc get pod <pod-name> -n <namespace> -o jsonpath='{.spec.serviceAccountName}'

Default is usually:

default

Check the Deployment too:

oc get deploy <deploy-name> -n <namespace> -o yaml | grep serviceAccountName

3. Check SCCs available in the cluster

oc get scc

Common SCCs:

restricted-v2
nonroot-v2
anyuid
privileged
hostmount-anyuid

4. Check which SCC admitted the pod

For a running pod:

oc get pod <pod-name> -n <namespace> -o jsonpath='{.metadata.annotations.openshift\.io/scc}'

Example:

restricted-v2

5. Check SCC permissions for the ServiceAccount

oc auth can-i use scc/anyuid \
  --as system:serviceaccount:<namespace>:<serviceaccount> \
  -n <namespace>

Example:

oc auth can-i use scc/anyuid \
  --as system:serviceaccount:myapp:default \
  -n myapp

6. Add an SCC to a ServiceAccount

Example for apps needing fixed UID or root:

oc adm policy add-scc-to-user anyuid \
  -z <serviceaccount> \
  -n <namespace>

Example:

oc adm policy add-scc-to-user anyuid \
  -z default \
  -n myapp

For privileged workloads:

oc adm policy add-scc-to-user privileged \
  -z <serviceaccount> \
  -n <namespace>

Use privileged only when really required.

7. Common fixes

App runs as root

Error:

runAsUser: Invalid value: 0

Fix:

oc adm policy add-scc-to-user anyuid -z <sa> -n <namespace>

Better fix: modify image to run as non-root.

Container needs privileged mode

Error:

Privileged containers are not allowed

Fix:

oc adm policy add-scc-to-user privileged -z <sa> -n <namespace>
App uses hostPath

Error:

hostPath volumes are not allowed

Fix may require:

oc adm policy add-scc-to-user hostmount-anyuid -z <sa> -n <namespace>

Or redesign to use PVC instead of hostPath.

App needs custom UID

Check deployment:

oc get deploy <deploy-name> -n <namespace> -o yaml | grep -A10 securityContext

Remove hardcoded UID if possible:

securityContext:
  runAsUser: 1000

OpenShift often prefers dynamic UIDs.

8. Check namespace UID range

oc get namespace <namespace> -o yaml | grep uid-range

Example:

openshift.io/sa.scc.uid-range: 1000750000/10000

Pods under restricted-v2 must usually run within this UID range.

9. Best practice

Do not assign SCC to all users. Assign SCC only to a specific ServiceAccount:

oc create sa myapp-sa -n myapp
oc adm policy add-scc-to-user anyuid \
  -z myapp-sa \
  -n myapp

Then update Deployment:

spec:
  template:
    spec:
      serviceAccountName: myapp-sa

Quick troubleshooting flow

Pod failing?
oc describe pod
Find SCC error
Check ServiceAccount
oc auth can-i use scc/<scc>
Grant least-privilege SCC to ServiceAccount
Restart pod

Restart:

oc rollout restart deploy/<deploy-name> -n <namespace>

Leave a Reply