I have a default scc restricted in a cluster. I created another scc which has readOnlyRootFilesystem = true. I have applied this scc with a service account on one namespace. However I can still create files in /tmp in a pod. The readOnlyRootFilesystem= true does not work. I think it has something to do with the priorities between the default scc and the scc I created. Is there any solution for this? This is my scc file and the command I have used.
allowHostPorts: false
priority: null
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
allowPrivilegedContainer: false
runAsUser:
type: MustRunAsRange
users: []
allowHostDirVolumePlugin: false
allowHostIPC: false
seLinuxContext:
type: MustRunAs
readOnlyRootFilesystem: true
metadata:
annotations:
kubernetes.io/description: restricted SCC + read-only FS
name: restricted-new
fsGroup:
type: MustRunAs
groups: []
kind: SecurityContextConstraints
defaultAddCapabilities: null
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
allowHostPID: false
allowHostNetwork: false
allowPrivilegeEscalation: false
apiVersion: security.openshift.io/v1
allowedCapabilities: null
`$`oc create -f restricted-new.yaml
`$`oc adm policy add-scc-to-user readonly -z ro-default -n <PROJECT>
`$`oc create sa ro-default -n <PROJECT>
`$`touch tmp/aaa.txt