mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
123 lines
2.9 KiB
Plaintext
123 lines
2.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/security_profiles_operator/spo-seccomp.adoc
|
|
// * security/security_profiles_operator/spo-selinux.adoc
|
|
|
|
ifeval::["{context}" == "spo-seccomp"]
|
|
:seccomp:
|
|
:type: seccomp
|
|
:kind: SeccompProfile
|
|
endif::[]
|
|
ifeval::["{context}" == "spo-selinux"]
|
|
:selinux:
|
|
:type: SELinux
|
|
:kind: SelinuxProfile
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="spo-binding-workloads_{context}"]
|
|
= Binding workloads to profiles with ProfileBindings
|
|
|
|
You can use the `ProfileBinding` resource to bind a security profile to the `SecurityContext` of a container.
|
|
|
|
.Procedure
|
|
|
|
. To bind a pod that uses a `quay.io/security-profiles-operator/test-nginx-unprivileged:1.21` image to the example `{kind}` profile, create a `ProfileBinding` object in the same namespace with the pod and the `{kind}` objects:
|
|
+
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
|
|
kind: ProfileBinding
|
|
metadata:
|
|
namespace: my-namespace
|
|
name: nginx-binding
|
|
spec:
|
|
profileRef:
|
|
kind: {kind} <1>
|
|
name: profile <2>
|
|
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21 <3>
|
|
----
|
|
<1> The `kind:` variable refers to the kind of the profile.
|
|
<2> The `name:` variable refers to the name of the profile.
|
|
<3> You can enable a default security profile by using a wildcard in the image attribute: `image: "*"`
|
|
+
|
|
[IMPORTANT]
|
|
====
|
|
Using the `image: "*"` wildcard attribute binds all new pods with a default security profile in a given namespace.
|
|
====
|
|
|
|
. Label the namespace with `enable-binding=true` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc label ns my-namespace spo.x-k8s.io/enable-binding=true
|
|
----
|
|
|
|
. Define a pod named `test-pod.yaml`:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: test-pod
|
|
spec:
|
|
containers:
|
|
- name: test-container
|
|
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
|
|
----
|
|
|
|
. Create the pod:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f test-pod.yaml
|
|
----
|
|
+
|
|
[NOTE]
|
|
====
|
|
If the pod already exists, you must re-create the pod for the binding to work properly.
|
|
====
|
|
|
|
.Verification
|
|
|
|
ifdef::seccomp[]
|
|
* Confirm the pod inherits the `ProfileBinding` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seccompProfile}'
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
{"localhostProfile":"operator/profile.json","type":"Localhost"}
|
|
----
|
|
endif::[]
|
|
ifdef::selinux[]
|
|
* Confirm the pod inherits the `ProfileBinding` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seLinuxOptions.type}'
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
profile_.process
|
|
----
|
|
endif::[]
|
|
|
|
|
|
ifeval::["{context}" == "spo-seccomp"]
|
|
:!seccomp:
|
|
:!type:
|
|
:!kind:
|
|
endif::[]
|
|
ifeval::["{context}" == "spo-selinux"]
|
|
:!selinux:
|
|
:!type:
|
|
:!kind:
|
|
endif::[] |