openshift-docs/modules/telco-core-security.adoc

// Module included in the following assemblies:
//
// * scalability_and_performance/telco_ref_design_specs/core/telco-core-ref-design-components.adoc

:_mod-docs-content-type: REFERENCE
[id="telco-core-security_{context}"]
= Security

New in this release::
//CNF-11806
* Secure boot host firmware setting is now recommended for telco core clusters.
For more information, see "Host firmware and boot loader configuration".

Description::
You should harden clusters against multiple attack vectors.
In {product-title}, there is no single component or feature responsible for securing a cluster.
Use the following security-oriented features and configurations to secure your clusters:

* **SecurityContextConstraints (SCC)**: All workload pods should be run with `restricted-v2` or `restricted` SCC.
* **Seccomp**: All pods should be run with the `RuntimeDefault` (or stronger) seccomp profile.
* **Rootless DPDK pods**: Many user-plane networking (DPDK) CNFs require pods to run with root privileges. With this feature, a conformant DPDK pod can be run without requiring root privileges.
Rootless DPDK pods create a tap device in a rootless pod that injects traffic from a DPDK application to the kernel.
* **Storage**: The storage network should be isolated and non-routable to other cluster networks. See the "Storage" section for additional details.

Limits and requirements::
* Rootless DPDK pods requires the following additional configuration steps:
** Configure the TAP plugin with the `container_t` SELinux context.
** Enable the `container_use_devices` SELinux boolean on the hosts.

Engineering considerations::
* For rootless DPDK pod support, the SELinux boolean `container_use_devices` must be enabled on the host for the TAP device to be created. This introduces a security risk that is acceptable for short to mid-term use. Other solutions will be explored.