Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From prodsec-skills
Reviews OpenShift Security Context Constraints (SCC) for proper privilege levels. Helps audit pod security, SCC assignments, and container runtime permissions on OpenShift clusters.
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:scc-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
SCCs control what actions pods can perform and what host resources they can access. If no security context is specified, OpenShift applies the **restricted** SCC by default.
Enforces least-privilege RBAC and secure runtime configuration for Kubernetes Operators. Use when building, reviewing, or auditing Operator manifests, ClusterRoles, Roles, OLM bundles, or CRD definitions.
Provides Kubernetes security best practices for pod security contexts, network policies, RBAC, secrets management, and resource limits. Use when securing K8s deployments.
Audits Kubernetes RBAC configurations for overly permissive roles, wildcard permissions, dangerous bindings, service account abuse, and privilege escalation using kubectl, rbac-tool, KubiScan, Kubeaudit. For cluster security assessments on EKS, GKE, AKS.
Share bugs, ideas, or general feedback.
SCCs control what actions pods can perform and what host resources they can access. If no security context is specified, OpenShift applies the restricted SCC by default.
| SCC | Description | When to Use |
|---|---|---|
| restricted | Denies all host features; requires namespace-allocated UID and SELinux label. Most restrictive. | Default for all workloads; prefer this unless a specific relaxation is justified |
| nonroot | Like restricted, but allows any non-root UID | When the container must run as a specific non-root UID |
| anyuid | Like restricted, but allows any UID/GID | When the container requires a specific UID (including root UID without root privileges) |
| hostnetwork | Allows host networking and ports; requires namespace UID/SELinux | Only for pods that must bind to host network interfaces |
| hostaccess | Allows all host namespaces; requires namespace UID/SELinux | Only for trusted pods requiring host namespace access |
| hostmount-anyuid | Like restricted, but allows host mounts and any UID | Only for pods requiring host filesystem access (e.g., persistent volume recycler) |
| privileged | Full access to all host features; any user, group, SELinux context | Only for cluster administration requiring maximum access |
| node-exporter | Purpose-built for the Prometheus node exporter | Only for the node exporter DaemonSet |
| custom | Administrator-defined constraints | Requires careful security review; document every relaxation |
runAsNonRoot: true is set where possiblereadOnlyRootFilesystem: true is set where possiblerunAsNonRoot: true is set in the pod security contextreadOnlyRootFilesystem: true is set in container security contexts