mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
138 lines
3.5 KiB
Plaintext
138 lines
3.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/security_profiles_operator/spo-seccomp.adoc
|
|
// * security/security_profiles_operator/spo-selinux.adoc
|
|
// JKB added conditionalization requested by QE
|
|
|
|
|
|
ifeval::["{context}" == "spo-seccomp"]
|
|
:seccomp:
|
|
:type: seccomp
|
|
:kind: SeccompProfile
|
|
:object: seccompprofiles
|
|
endif::[]
|
|
ifeval::["{context}" == "spo-selinux"]
|
|
:selinux:
|
|
:type: SELinux
|
|
:kind: SelinuxProfile
|
|
:object: selinuxprofiles
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="spo-container-profile-instances_{context}"]
|
|
= Merging per-container profile instances
|
|
|
|
By default, each container instance records into a separate profile. The Security Profiles Operator can merge the per-container profiles into a single profile. Merging profiles is useful when deploying applications using `ReplicaSet` or `Deployment` objects.
|
|
|
|
.Procedure
|
|
|
|
. Edit a `ProfileRecording` object to include a `mergeStrategy: containers` variable:
|
|
+
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
|
|
kind: ProfileRecording
|
|
metadata:
|
|
# The name of the Recording is the same as the resulting {kind} CRD
|
|
# after reconciliation.
|
|
name: test-recording
|
|
namespace: my-namespace
|
|
spec:
|
|
kind: {kind}
|
|
recorder: logs
|
|
mergeStrategy: containers
|
|
podSelector:
|
|
matchLabels:
|
|
app: sp-record
|
|
----
|
|
|
|
. Label the namespace by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc label ns my-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite=true
|
|
----
|
|
. Create the workload with the following YAML:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: nginx-deploy
|
|
namespace: my-namespace
|
|
spec:
|
|
replicas: 3
|
|
selector:
|
|
matchLabels:
|
|
app: sp-record
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: sp-record
|
|
spec:
|
|
serviceAccountName: spo-record-sa
|
|
containers:
|
|
- name: nginx-record
|
|
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
|
|
ports:
|
|
- containerPort: 8080
|
|
----
|
|
|
|
. To record the individual profiles, delete the deployment by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc delete deployment nginx-deploy -n my-namespace
|
|
----
|
|
|
|
. To merge the profiles, delete the profile recording by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc delete profilerecording test-recording -n my-namespace
|
|
----
|
|
|
|
. To start the merge operation and generate the results profile, run the following command:
|
|
+
|
|
[source,terminal,subs="attributes+"]
|
|
----
|
|
$ oc get {object} -lspo.x-k8s.io/recording-id=test-recording -n my-namespace
|
|
----
|
|
ifdef::selinux[]
|
|
+
|
|
.Example output for {object}
|
|
[source,terminal]
|
|
----
|
|
NAME USAGE STATE
|
|
test-recording-nginx-record test-recording-nginx-record_.process Installed
|
|
----
|
|
endif::[]
|
|
ifdef::seccomp[]
|
|
+
|
|
.Example output for {object}
|
|
[source,terminal]
|
|
----
|
|
NAME STATUS AGE
|
|
test-recording-nginx-record Installed 55s
|
|
----
|
|
endif::[]
|
|
. To view the permissions used by any of the containers, run the following command:
|
|
+
|
|
[source,terminal,subs="attributes+"]
|
|
----
|
|
$ oc get {object} test-recording-nginx-record -o yaml
|
|
----
|
|
|
|
ifeval::["{context}" == "spo-seccomp"]
|
|
:!seccomp:
|
|
:!type:
|
|
:!kind:
|
|
:!object:
|
|
endif::[]
|
|
ifeval::["{context}" == "spo-selinux"]
|
|
:!selinux:
|
|
:!type:
|
|
:!kind:
|
|
:!object:
|
|
endif::[] |