mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
110 lines
2.7 KiB
Plaintext
110 lines
2.7 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/security_profiles_operator/spo-selinux.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="spo-replicating-controllers_{context}"]
|
|
= Replicating controllers and SecurityContextConstraints
|
|
|
|
When you deploy SELinux policies for replicating controllers, such as deployments or daemon sets, note that the `Pod` objects spawned by the controllers are not running with the identity of the user who creates the workload. Unless a `ServiceAccount` is selected, the pods might revert to using a restricted `SecurityContextConstraints` (SCC) which does not allow use of custom security policies.
|
|
|
|
.Procedure
|
|
|
|
. Create a project by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc new-project nginx-secure
|
|
----
|
|
|
|
. Create the following `RoleBinding` object to allow SELinux policies to be used in the `nginx-secure` namespace:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: spo-nginx
|
|
namespace: nginx-secure
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: spo-deploy-test
|
|
roleRef:
|
|
kind: Role
|
|
name: spo-nginx
|
|
apiGroup: rbac.authorization.k8s.io
|
|
----
|
|
|
|
. Create the `Role` object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
creationTimestamp: null
|
|
name: spo-nginx
|
|
namespace: nginx-secure
|
|
rules:
|
|
- apiGroups:
|
|
- security.openshift.io
|
|
resources:
|
|
- securitycontextconstraints
|
|
resourceNames:
|
|
- privileged
|
|
verbs:
|
|
- use
|
|
----
|
|
|
|
. Create the `ServiceAccount` object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
creationTimestamp: null
|
|
name: spo-deploy-test
|
|
namespace: nginx-secure
|
|
----
|
|
|
|
. Create the `Deployment` object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: selinux-test
|
|
namespace: nginx-secure
|
|
metadata:
|
|
labels:
|
|
app: selinux-test
|
|
spec:
|
|
replicas: 3
|
|
selector:
|
|
matchLabels:
|
|
app: selinux-test
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: selinux-test
|
|
spec:
|
|
serviceAccountName: spo-deploy-test
|
|
securityContext:
|
|
seLinuxOptions:
|
|
type: nginx-secure_.process <1>
|
|
containers:
|
|
- name: nginx-unpriv
|
|
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
|
|
ports:
|
|
- containerPort: 8080
|
|
----
|
|
<1> The `.seLinuxOptions.type` must exist before the Deployment is created.
|
|
+
|
|
[NOTE]
|
|
====
|
|
The SELinux type is not specified in the workload and is handled by the SCC. When the pods are created by the deployment and the `ReplicaSet`, the pods will run with the appropriate profile.
|
|
====
|
|
|
|
Ensure that your SCC is usable by only the correct service account. Refer to _Additional resources_ for more information. |