openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
0c2bea29fb0caee2a43129dc8647b3c170dd8482
openshift-docs/modules/sdpolicy-security.adoc

86 lines
5.2 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * osd_architecture/osd_policy/osd-service-definition.adoc
:_mod-docs-content-type: CONCEPT
[id="sdpolicy-security_{context}"]
= Security
[role="_abstract"]
Review the security features and configurations of {product-title}.
[id="auth-provider_{context}"]
== Authentication provider
Authentication for the cluster is configured as part of {cluster-manager-first} cluster creation process. OpenShift is not an identity provider, and all access to the cluster must be managed by the customer as part of their integrated solution. Provisioning multiple identity providers provisioned at the same time is supported. The following identity providers are supported:
* GitHub or GitHub Enterprise OAuth
* GitLab OAuth
* Google OAuth
* LDAP
* OpenID connect
[id="privileged-containers_{context}"]
== Privileged containers
Privileged containers are not available by default on {product-title}. The `anyuid` and `nonroot` Security Context Constraints are available for members of the `dedicated-admins` group, and should address many use cases. Privileged containers are only available for `cluster-admin` users.
[id="cluster-admin-user_{context}"]
== Customer administrator user
In addition to normal users, {product-title} provides access to an {product-title}-specific group called `dedicated-admin`. Any users on the cluster that are members of the `dedicated-admin` group:
* Have administrator access to all customer-created projects on the cluster.
* Can manage resource quotas and limits on the cluster.
* Can add and manage `NetworkPolicy` objects.
* Are able to view information about specific nodes and PVs in the cluster, including scheduler information.
* Can access the reserved `dedicated-admin` project on the cluster, which allows for the creation of service accounts with elevated privileges and also gives the ability to update default limits and quotas for projects on the cluster.
* Can install Operators from the software catalog (`\*` verbs in all `*.operators.coreos.com` API groups).
[id="cluster-admin-role_{context}"]
== Cluster administration role
As an administrator of {product-title} with Customer Cloud Subscriptions (CCS), you have access to the `cluster-admin` role. While logged in to an account with the `cluster-admin` role, users have mostly unrestricted access to control and configure the cluster. There are some configurations that are blocked with webhooks to prevent destablizing the cluster, or because they are managed in {cluster-manager} and any in-cluster changes would be overwritten.
[id="project-self-service_{context}"]
== Project self-service
All users, by default, have the ability to create, update, and delete their projects. This can be restricted if a member of the `dedicated-admin` group removes the self-provisioner role from authenticated users:
[source,terminal]
----
$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
----
Restrictions can be reverted by applying:
[source,terminal]
----
$ oc adm policy add-cluster-role-to-group self-provisioner system:authenticated:oauth
----
[id="regulatory-compliance_{context}"]
== Regulatory compliance
See the _Security and control certifications for {product-title}_ table in _Understanding process and security for {product-title}_ for the latest compliance information.
[id="network-security_{context}"]
== Network security
Each {product-title} cluster is protected by a secure network configuration at the cloud infrastructure level using firewall rules (AWS Security Groups or {gcp-full} Compute Engine firewall rules). {product-title} customers on AWS are also protected against DDoS attacks with link:https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html[AWS Shield Standard].
Similarly, all {gcp-short} load balancers and public IP addresses used by {product-title} on {gcp-short} are protected against DDoS attacks with link:https://cloud.google.com/armor/docs/managed-protection-overview[{gcp-full} Armor Standard].
[id="etcd-encryption_{context}"]
== etcd encryption
In {product-title}, the control plane storage is encrypted at rest by default and this includes encryption of the etcd volumes. This storage-level encryption is provided through the storage layer of the cloud provider.
You can also enable etcd encryption, which encrypts the key values in etcd, but not the keys. If you enable etcd encryption, the following Kubernetes API server and OpenShift API server resources are encrypted:
* Secrets
* Config maps
* Routes
* OAuth access tokens
* OAuth authorize tokens
The etcd encryption feature is not enabled by default and it can be enabled only at cluster installation time. Even with etcd encryption enabled, the etcd key values are accessible to anyone with access to the control plane nodes or `cluster-admin` privileges.
[IMPORTANT]
====
By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red Hat recommends that you enable etcd encryption only if you specifically require it for your use case.
====
View Git Blame Copy Permalink