openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity

CNV-16326: session mode

Browse Source
This commit is contained in:
Pan Ousley
2022-08-22 17:08:05 -04:00
committed by openshift-cherrypick-robot
parent 2253ebea88
commit ce3d84285f
5 changed files with 27 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
_topic_maps/_topic_map.yml
View File

@@ -3213,7 +3213,7 @@ Topics:
- Name: Updating OKD Virtualization
File: upgrading-virt
Distros: openshift-origin
- Name: Additional security privileges granted for kubevirt-controller and virt-launcher
- Name: Security policies
File: virt-additional-security-privileges-controller-and-launcher
- Name: Using the CLI tools
File: virt-using-the-cli-tools

13
modules/virt-about-workload-security.adoc Normal file
View File

@@ -0,0 +1,13 @@
// Module included in the following assemblies:
//
// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
:_content-type: CONCEPT
[id="virt-about-workload-security_{context}"]
= About workload security
By default, virtual machine (VM) workloads do not run with root privileges in {VirtProductName}.
For each VM, a `virt-launcher` pod runs an instance of `libvirt` in _session mode_ to manage the VM process. In session mode, the `libvirt` daemon runs as a non-root user account and only permits connections from clients that are running under the same user identifier (UID). Therefore, VMs run as unprivileged pods, adhering to the security principle of least privilege.
There are no supported {VirtProductName} features that require root privileges. If a feature requires root, it might not be supported for use with {VirtProductName}.

1
modules/virt-additional-scc-for-kubevirt-controller.adoc
View File

@@ -2,6 +2,7 @@
//
// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
:_content-type: REFERENCE
[id="virt-additional-scc-for-kubevirt-controller_{context}"]
= Additional {product-title} security context constraints and Linux capabilities for the kubevirt-controller service account

1
modules/virt-extended-selinux-policies-for-virt-launcher.adoc
View File

@@ -2,6 +2,7 @@
//
// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
:_content-type: REFERENCE
[id="virt-extended-selinux-policies-for-virt-launcher_{context}"]
= Extended SELinux policies for virt-launcher pods

23
virt/virt-additional-security-privileges-controller-and-launcher.adoc
View File

@@ -1,27 +1,26 @@
:_content-type: ASSEMBLY
[id="virt-additional-security-privileges-controller-and-launcher"]
= Additional security privileges granted for kubevirt-controller and virt-launcher
= Security policies
include::_attributes/common-attributes.adoc[]
:context: virt-additional-security-privileges-controller-and-launcher
toc::[]
The `kubevirt-controller` and virt-launcher pods are granted some SELinux policies and Security Context Constraints privileges that are in addition to typical pod owners. These privileges enable virtual machines to use {VirtProductName} features.
Virtual machine (VM) workloads run as unprivileged pods. So that VMs can use {VirtProductName} features, some pods are granted custom security policies that are not available to other pod owners:
* An extended `container_t` SELinux policy applies to `virt-launcher` pods.
* xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Security context constraints] (SCCs) are defined for the `kubevirt-controller` service account.
include::modules/virt-about-workload-security.adoc[leveloffset=+1]
include::modules/virt-extended-selinux-policies-for-virt-launcher.adoc[leveloffset=+1]
include::modules/virt-additional-scc-for-kubevirt-controller.adoc[leveloffset=+1]
[role="_additional-resources"]
[id="additional-resources_{context}"]
== Additional resources
* The Red Hat Enterprise Linux Virtualization Tuning and Optimization Guide has more information on link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-networking-techniques#mult[network multi-queue]
and
link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-memory-tuning#sect-Virtualization_Tuning_Optimization_Guide-Memory-Huge_Pages[huge pages].
* The `capabilities` man page has more information on the Linux capabilities.
* The `sysfs(5)` man page has more information on sysfs.
* The {product-title} Authentication guide has more information on
xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Security Context Constraints].
// these are RHEL 7 links; unsure if there is an equivalent in later versions //
* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-networking-techniques#sect-Virtualization_Tuning_Optimization_Guide-Networking-Multi-queue_virtio-net[Network multi-queue]
* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-memory-tuning#sect-Virtualization_Tuning_Optimization_Guide-Memory-Huge_Pages[Huge pages]