How to enable NET_ADMIN permission to a deployment?

  1. Create a custom scc my-scc:
    $ cat scc.yaml 
    kind: SecurityContextConstraints
    apiVersion: v1
      name: my-scc
    allowPrivilegeEscalation: false
    allowPrivilegedContainer: false
      - NET_ADMIN
      type: RunAsAny
      type: RunAsAny
      type: RunAsAny
      type: RunAsAny
      - system:admin
  2. Create a new service account mysvcacct:
    $ oc create sa mysvcacct -n $NAMESPACE
  3. Add SCC my-scc to SA mysvcacct:
    $ oc adm policy add-scc-to-user my-scc -z mysvcacct
  4. Create a deployment with serviceAccountName and securityContext: ``` $ cat simple-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: labels: app: simple-deployment simple-deployment simple-deployment simple-deployment redhat name: simple-deployment spec: replicas: 1 selector: matchLabels: app: simple-deployment type: Recreate template: metadata: labels: app: simple-deployment deploymentconfig: simple-deployment spec: serviceAccountName: mysvcacct containers:
    • image: imagePullPolicy: Always name: simple-deployment command:
      • /bin/sh
      • -c
      • | sleep infinity resources: {} securityContext: capabilities: add:
        • NET_ADMIN ```
  5. Comfirm scc my-scc is used by the pod:
    $ oc -n ${NAMESPACE} get pod -o ',APPLIED SCC:metadata.annotations.openshift\.io/scc'
    NAME                                 APPLIED SCC
    simple-deployment-5c675b55b6-6cr5t   my-scc
  6. Confirm ip route can be edited inside of the pod:
    $ oc rsh simple-deployment-5c675b55b6-6cr5t
    sh-4.2# ip r
    default via dev eth0 dev eth0 dev eth0 proto kernel scope link src via dev eth0 dev eth0 
    sh-4.2# ip r del dev eth0 
    sh-4.2# ip r add dev eth0 
Written on July 24, 2023