mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
33 lines
2.4 KiB
Plaintext
33 lines
2.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * edge_computing/day_2_core_cnf_clusters/security/security-host-sec.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="security-rhcos-overview_{context}"]
|
|
= {op-system-first}
|
|
|
|
{op-system-first} is different from {op-system-base-full} in key areas. For more information, see "About {op-system}".
|
|
|
|
A major distinction is the control of `rpm-ostree`, which is updated through the Machine Config Operator.
|
|
|
|
{op-system} follows the same immutable design used for pods in {product-title}. This ensures that the operating system remains consistent across the cluster. For information about {op-system} architecture, see "{op-system-first}".
|
|
|
|
To manage hosts effectively while maintaining security, avoid direct access whenever possible. Instead, you can use the following methods for host management:
|
|
|
|
* Debug pod
|
|
* Direct SSHs
|
|
* Console access
|
|
|
|
Review the following {op-system} security mechanisms that are integral to maintaining host security:
|
|
|
|
Linux namespaces:: Provide isolation for processes and resources. Each container keeps its processes and files within its own namespace. If a user escapes from the container namespace, they could gain access to the host operating system, potentially compromising security.
|
|
|
|
Security-Enhanced Linux (SELinux):: Enforces mandatory access controls to restrict access to files and directories by processes. SELinux adds an extra layer of security by preventing unauthorized access to files if a process tries to break its confinement.
|
|
+
|
|
SELinux follows the security policy of denying everything unless explicitly allowed. If a process attempts to modify or access a file without permission, SELinux denies access. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html-single/using_selinux/index#introduction-to-selinux_getting-started-with-selinux[Introduction to SELinux].
|
|
|
|
Linux capabilities:: Assign specific privileges to processes at a granular level, minimizing the need for full root permissions. For more information, see "Linux capabilities".
|
|
|
|
Control groups (cgroups):: Allocate and manage system resources, such as CPU and memory for processes and containers, ensuring efficient usage. As of {product-title} 4.16, there are two versions of cgroups. cgroup v2 is now configured by default.
|
|
|
|
CRI-O:: Serves as a lightweight container runtime that enforces security boundaries and manages container workloads. |