openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-07 09:46:53 +01:00
Code Issues Releases Activity
Files
824b9a0a0bd419215da170d9fe193d98c6782eea
openshift-docs/modules/hcp-isolation.adoc
Laura Hinson f0e8f98cbf [OSDOCS-13450]: Isolation details for HCP
2025-05-15 11:18:39 -04:00

43 lines
2.2 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * hosted_control_planes/hcp-prepare/hcp-distribute-workloads.adoc
:_mod-docs-content-type: CONCEPT
[id="hcp-isolation_{context}"]
= Control plane isolation
You can configure {hcp} to isolate network traffic or control plane pods.
== Network policy isolation
Each hosted control plane is assigned to run in a dedicated Kubernetes namespace. By default, the Kubernetes namespace denies all network traffic.
The following network traffic is allowed through the network policy that is enforced by the Kubernetes Container Network Interface (CNI):
* Ingress pod-to-pod communication in the same namespace (intra-tenant)
* Ingress on port 6443 to the hosted `kube-apiserver` pod for the tenant
* Metric scraping from the management cluster Kubernetes namespace with the `network.openshift.io/policy-group: monitoring` label is allowed for monitoring
== Control plane pod isolation
In addition to network policies, each hosted control plane pod is run with the `restricted` security context constraint. This policy denies access to all host features and requires pods to be run with a UID and with SELinux context that is allocated uniquely to each namespace that hosts a customer control plane.
The policy ensures the following constraints:
* Pods cannot run as privileged.
* Pods cannot mount host directory volumes.
* Pods must run as a user in a pre-allocated range of UIDs.
* Pods must run with a pre-allocated MCS label.
* Pods cannot access the host network namespace.
* Pods cannot expose host network ports.
* Pods cannot access the host PID namespace.
* By default, pods drop the following Linux capabilities: `KILL`, `MKNOD`, `SETUID`, and `SETGID`.
The management components, such as `kubelet` and `crio`, on each management cluster worker node are protected by an SELinux label that is not accessible to the SELinux context for pods that support {hcp}.
The following SELinux labels are used for key processes and sockets:
* *kubelet*: `system_u:system_r:unconfined_service_t:s0`
* *crio*: `system_u:system_r:container_runtime_t:s0`
* *crio.sock*: `system_u:object_r:container_var_run_t:s0`
* *<example user container processes>*: `system_u:system_r:container_t:s0:c14,c24`
View Git Blame Copy Permalink