K
Q

OpenShift - List serviceaccounts with privileged scc

1/30/2019

Is there an oc command (or other method) to list all service accounts that have been granted the privileged scc?

If I suspect oc adm policy add-scc-to-user privileged -z SA_NAME has been run against a number of service accounts, how can I check? I know the call to undo this using oc adm policy remove-scc-from-user ..., but haven't found a command to list which accounts have been given an scc.

-- davur
kubernetes
openshift
security

Similar Questions

Kubernetes on GKE how to write data on PVC with readonlymany mode
How can i change a service running on one port number, now i want to run another service on same old port number
Rancher Cluster `cloud_provider` YAML: How to use Active Directory Domain Credentials (i.e. user name with back slash) in YAML?
Distributed tracing in Istio - expected behavior when the application does NOT propagate headers
Invalid resource manager ID in primary checkpoint record

1 Answer

1/30/2019

Seems I eventually stumbled on the answer to my own question.

Inspecting an scc shows the list of users that have the scc.

oc edit scc privileged

...
kind: SecurityContextConstraints
metadata:
   ...
   name: privileged
...
users:
 - system:admin
 - system:serviceaccount: SA_NAME1
 - system:serviceaccount: SA_NAME2
 - ...

What happens when adding privileged to an account (user or sa), it appears the opposite is really what happens, the user/sa is added to the scc.

-- davur
Source: StackOverflow