From e50c6ab2e2b689678774e647e30ede09e682a1f5 Mon Sep 17 00:00:00 2001 From: Shubha Narayanan Date: Wed, 18 Aug 2021 19:33:35 +0530 Subject: [PATCH] BZ1873324: Configuring seccomp profile BZ1873324: Configuring seccomp profile BZ1873324: Configuring seccomp profile BZ1873324: WIP seccomp profile changes BZ1873324: WIP seccomp profile changes WIP changes for seccomp profile WIP changes for seccomp WIP draft WIP WIP WIP WIP Added SME inputs Added SME inputs BZ1873324: WIP BZ1873324: WIP WIP WIP WIP WIP testing WIP WIP WIP WIP File restructuring Build fix Restructured files, no content change Restructured files, no content change Fixed heading levels Implemented review comments Implemented review comments --- _topic_map.yml | 2 + modules/applying-custom-seccomp-profile.adoc | 22 ++++++++ .../configuring-default-seccomp-profile.adoc | 15 ++++++ modules/setting-custom-seccomp-profile.adoc | 19 +++++++ security/seccomp-profiles.adoc | 52 +++++++++++++++++++ 5 files changed, 110 insertions(+) create mode 100644 modules/applying-custom-seccomp-profile.adoc create mode 100644 modules/configuring-default-seccomp-profile.adoc create mode 100644 modules/setting-custom-seccomp-profile.adoc create mode 100644 security/seccomp-profiles.adoc diff --git a/_topic_map.yml b/_topic_map.yml index 2b1e6fb148..4f4e9a7404 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -751,6 +751,8 @@ Topics: File: audit-log-policy-config - Name: Configuring TLS security profiles File: tls-security-profiles +- Name: Configuring seccomp profiles + File: seccomp-profiles - Name: Allowing JavaScript-based access to the API server from additional hosts File: allowing-javascript-access-api-server Distros: openshift-enterprise,openshift-origin diff --git a/modules/applying-custom-seccomp-profile.adoc b/modules/applying-custom-seccomp-profile.adoc new file mode 100644 index 0000000000..2ae5484dc1 --- /dev/null +++ b/modules/applying-custom-seccomp-profile.adoc @@ -0,0 +1,22 @@ +[id="applying-custom-seccomp-profile_{context}"] += Applying the custom seccomp profile to the workload + +.Prerequisite +* The cluster administrator has set up the custom seccomp profile. For more details, see "Setting up the custom seccomp profile". + +.Procedure +* Apply the seccomp profile to the workload by setting the `securityContext.seccompProfile.type` field as following: ++ +.Example ++ +[source, yaml] +---- +spec: + securityContext: + seccompProfile: + type: Localhost + localhostProfile: .json <1> +---- +<1> Provide the name of your custom seccomp profile. ++ +Alternatively, you can use the pod annotations `seccomp.security.alpha.kubernetes.io/pod: localhost/.json`. However, this method is deprecated in {product-title} {product-version}. diff --git a/modules/configuring-default-seccomp-profile.adoc b/modules/configuring-default-seccomp-profile.adoc new file mode 100644 index 0000000000..79658e91b9 --- /dev/null +++ b/modules/configuring-default-seccomp-profile.adoc @@ -0,0 +1,15 @@ +[id="configuring-default-seccomp-profile_{context}"] += Configuring the default seccomp profile +OpenShift ships with a default seccomp profile that is referenced as `runtime/default`. You can enable the default seccomp profile for a pod or container workload by setting `RuntimeDefault` as following: + +.Example + +[source, yaml] +---- +spec: + securityContext: + seccompProfile: + type: RuntimeDefault +---- + +Alternatively, you can use the pod annotations `seccomp.security.alpha.kubernetes.io/pod: runtime/default` and `container.seccomp.security.alpha.kubernetes.io/: runtime/default`. However, this method is deprecated in {product-title} {product-version}. diff --git a/modules/setting-custom-seccomp-profile.adoc b/modules/setting-custom-seccomp-profile.adoc new file mode 100644 index 0000000000..2911220e22 --- /dev/null +++ b/modules/setting-custom-seccomp-profile.adoc @@ -0,0 +1,19 @@ +[id="setting-custom-seccomp-profile_{context}"] += Setting up the custom seccomp profile + +.Prerequisite +* You have cluster administrator permissions. +* You have created a custom security context constraints (SCC). For more information, see "Additional resources". +* You have created a custom seccomp profile. + +.Procedure +. Upload your custom seccomp profile to `/var/lib/kubelet/seccomp/.json` by using the Machine Config. See "Additional resources" for detailed steps. + +. Update the custom SCC by providing reference to the created custom seccomp profile: ++ +[source, yaml] +---- +seccompProfiles: +- localhost/.json <1> +---- +<1> Provide the name of your custom seccomp profile. diff --git a/security/seccomp-profiles.adoc b/security/seccomp-profiles.adoc new file mode 100644 index 0000000000..f1148bf4c1 --- /dev/null +++ b/security/seccomp-profiles.adoc @@ -0,0 +1,52 @@ +[id="seccomp-profiles"] += Configuring seccomp profiles +include::modules/common-attributes.adoc[] +:context: configuring-seccomp-profiles + +toc::[] + +An {product-title} container or a pod runs a single application that performs one or more well-defined tasks. The application usually requires only a small subset of the underlying operating system kernel APIs. +Seccomp, secure computing mode, is a Linux kernel feature that can be used to limit the process running in a container to only call a subset of the available system calls. These system calls can be configured by creating a profile that is applied to a container or pod. +Seccomp profiles are stored as JSON files on the disk. + +[IMPORTANT] +==== +OpenShift workloads run unconfined by default, without any seccomp profile applied. +==== + +[IMPORTANT] +==== +Seccomp profiles cannot be applied to privileged containers. +==== + +include::modules/configuring-default-seccomp-profile.adoc[leveloffset=+1] + +[id="custom-seccomp-profile"] +== Configuring a custom seccomp profile +You can configure a custom seccomp profile, which allows you to update the filters based on the application requirements. This allows cluster administrators to have greater control over the security of workloads running in OpenShift Container Platform. + +include::modules/setting-custom-seccomp-profile.adoc[leveloffset=+2] +include::modules/applying-custom-seccomp-profile.adoc[leveloffset=+2] + +During deployment, the admission controller validates the following: + +* The annotations against the current SCCs allowed by the user role. +* The SCC, which includes the seccomp profile, is allowed for the pod. + +If the SCC is allowed for the pod, the kubelet runs the pod with the specified seccomp profile. + +[IMPORTANT] +==== +Ensure that the seccomp profile is deployed to all worker nodes. +==== + +[NOTE] +==== +The custom SCC must have the appropriate priority to be automatically assigned to the pod or meet other conditions required by the pod, such as allowing CAP_NET_ADMIN. +==== + + +[id="additional-resources_configuring-seccomp-profiles"] +== Additional resources +* xref:../authentication/managing-security-context-constraints.adoc[Managing security context constraints] +* xref:../post_installation_configuration/machine-configuration-tasks.adoc[Post-installation machine configuration tasks]