openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/spo-creating-profiles.adoc

159 lines
4.2 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * security/security_profiles_operator/spo-seccomp.adoc
// * security/security_profiles_operator/spo-selinux.adoc
ifeval::["{context}" == "spo-seccomp"]
:seccomp:
:type: seccomp
:kind: SeccompProfile
endif::[]
ifeval::["{context}" == "spo-selinux"]
:selinux:
:type: SELinux
:kind: SelinuxProfile
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="spo-creating-profiles_{context}"]
= Creating {type} profiles
Use the `{kind}` object to create profiles.
ifdef::seccomp[]
`{kind}` objects can restrict syscalls within a container, limiting the access of your application.
.Procedure
. Create a project by running the following command:
+
[source,terminal]
----
$ oc new-project my-namespace
----
. Create the `{kind}` object:
+
[source,yaml,subs="attributes+"]
----
apiVersion: security-profiles-operator.x-k8s.io/v1beta1
kind: {kind}
metadata:
name: profile1
spec:
defaultAction: SCMP_ACT_LOG
----
The {type} profile will be saved in `/var/lib/kubelet/{type}/operator/<namespace>/<name>.json`.
An `init` container creates the root directory of the Security Profiles Operator to run the Operator without `root` group or user ID privileges. A symbolic link is created from the rootless profile storage `/var/lib/openshift-security-profiles` to the default `seccomp` root path inside of the kubelet root `/var/lib/kubelet/{type}/operator`.
endif::[]
ifdef::selinux[]
The `{kind}` object has several features that allow for better security hardening and readability:
* Restricts the profiles to inherit from to the current namespace or a system-wide profile. Because there are typically many profiles installed on the system, but only a subset should be used by cluster workloads, the inheritable system profiles are listed in the `spod` instance in `spec.selinuxOptions.allowedSystemProfiles`.
* Performs basic validation of the permissions, classes and labels.
* Adds a new keyword `@self` that describes the process using the policy. This allows reusing a policy between workloads and namespaces easily, as the usage of the policy is based on the name and namespace.
* Adds features for better security hardening and readability compared to writing a profile directly in the SELinux CIL language.
.Procedure
. Create a project by running the following command:
+
[source,terminal]
----
$ oc new-project nginx-deploy
----
. Create a policy that can be used with a non-privileged workload by creating the following `{kind}` object:
+
[source,yaml,subs="attributes+"]
----
apiVersion: security-profiles-operator.x-k8s.io/v1alpha2
kind: {kind}
metadata:
name: nginx-secure
spec:
allow:
'@self':
tcp_socket:
- listen
http_cache_port_t:
tcp_socket:
- name_bind
node_t:
tcp_socket:
- node_bind
inherit:
- kind: System
name: container
----
. Wait for `selinuxd` to install the policy by running the following command:
+
[source,terminal]
----
$ oc wait --for=condition=ready selinuxprofile nginx-secure
----
+
.Example output
[source,terminal]
----
selinuxprofile.security-profiles-operator.x-k8s.io/nginx-secure condition met
----
+
The policies are placed into an `emptyDir` in the container owned by the Security Profiles Operator. The policies are saved in Common Intermediate Language (CIL) format in `/etc/selinux.d/<name>_<namespace>.cil`.
. Access the pod by running the following command:
+
[source,terminal]
----
$ oc -n openshift-security-profiles rsh -c selinuxd ds/spod
----
.Verification
. View the file contents with `cat` by running the following command:
+
[source,terminal]
----
$ cat /etc/selinux.d/nginx-secure_.cil
----
+
.Example output
[source,terminal]
----
(block nginx-secure_
(blockinherit container)
(allow process nginx-secure_.process ( tcp_socket ( listen )))
(allow process http_cache_port_t ( tcp_socket ( name_bind )))
(allow process node_t ( tcp_socket ( node_bind )))
)
----
. Verify that a policy has been installed by running the following command:
+
[source,terminal]
----
$ semodule -l | grep nginx-secure
----
+
.Example output
[source,terminal]
----
nginx-secure_
----
endif::[]
ifeval::["{context}" == "spo-seccomp"]
:!seccomp:
:!type:
:!kind:
endif::[]
ifeval::["{context}" == "spo-selinux"]
:!selinux:
:!type:
:!kind:
endif::[]
View Git Blame Copy Permalink