openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
b4623ecb5d2bd85563c440057bf192088c1e2c64
openshift-docs/modules/kmm-security.adoc
StephenJamesSmith 5fbb573360 TELCODOCS-1820: kmod changes
2024-04-22 17:52:22 +00:00

47 lines
2.2 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * hardware_enablement/kmm-kernel-module-management.adoc
:_mod-docs-content-type: REFERENCE
[id="kmm-security_{context}"]
= Security and permissions
[IMPORTANT]
====
Loading kernel modules is a highly sensitive operation.
After they are loaded, kernel modules have all possible permissions to do any kind of operation on the node.
====
[id="serviceaccounts-and-securitycontextconstraint_{context}"]
== ServiceAccounts and SecurityContextConstraints
Kernel Module Management (KMM) creates a privileged workload to load the kernel modules on nodes.
That workload needs `ServiceAccounts` allowed to use the `privileged` `SecurityContextConstraint` (SCC) resource.
The authorization model for that workload depends on the namespace of the `Module` resource, as well as its spec.
* If the `.spec.moduleLoader.serviceAccountName` or `.spec.devicePlugin.serviceAccountName` fields are set, they are always used.
* If those fields are not set, then:
** If the `Module` resource is created in the Operator's namespace (`openshift-kmm` by default), then KMM uses its default, powerful `ServiceAccounts` to run the worker and device plugin pods.
** If the `Module` resource is created in any other namespace, then KMM runs the pods with the namespace's `default` `ServiceAccount`. The `Module` resource cannot run a privileged workload unless you manually enable it to use the `privileged` SCC.
[IMPORTANT]
====
`openshift-kmm` is a trusted namespace.
When setting up RBAC permissions, remember that any user or `ServiceAccount` creating a `Module` resource in the `openshift-kmm` namespace results in KMM automatically running privileged workloads on potentially all nodes in the cluster.
====
To allow any `ServiceAccount` to use the `privileged` SCC and run worker or device plugin pods, you can use the `oc adm policy` command, as in the following example:
[source,terminal]
----
$ oc adm policy add-scc-to-user privileged -z "${serviceAccountName}" [ -n "${namespace}" ]
----
[id="pod-security-standards_{context}"]
== Pod security standards
OpenShift runs a synchronization mechanism that sets the namespace Pod Security level automatically based on
the security contexts in use. No action is needed.
View Git Blame Copy Permalink