Showing results for 
Search instead for 
Did you mean: 

SCC review always says a pod needs AnyUID, even when that's not true

So, I've been poking around in the labs to experiment a little bit before my exam, and I've noticed something weird that I can't explain.

If I run oc get pod/[pod-name] -o yaml | oc adm policy scc-subject-review -f - it ALWAYS claims that the pod is allowed by the anyuid SCC, whether or not that's actually true. I've been trying it out on a whole bunch of pods in a whole bunch of different labs across the DO280 course, and the result is always the same. It insists that the pod needs anyuid, even when the pod is currently running without it.

What am I doing wrong? Why is this happening?

Labels (2)
1 Reply

Hi @cailey ,

Thanks for reaching out !

Can you let me know where exactly are you getting this in particular so that I can check this out ? Any Guided exercise or lab reference will be easier to check. 

Interesting what you have pointed out here. It may be due to the fact that we are getting the pod definition from "oc get.." and then supplying it to "oc adm policy....." to check the SCC function.  And this oc adm policy command is not taking the actual run time state of the pod but the pod definition only - hence it is giving us the result that it needs anyuid ?

If you can use the feedback button in your ROL portal and submit this - I can get this checked by our curriculum developers. 

0 Kudos
Join the discussion
You must log in to join this conversation.