mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
110 lines
4.3 KiB
Plaintext
110 lines
4.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="zero-trust-manager-spire-agent-config_{context}"]
|
|
= Deploying the SPIRE Agent
|
|
|
|
[role="_abstract"]
|
|
Use the `SpireAgent` custom resource to configure the SPIRE Agent `DaemonSet` on your nodes. This defines how the agent verifies workloads and manages identity attestation across your {product-title} cluster.
|
|
|
|
|
|
.Prerequisites
|
|
|
|
* You have access to the cluster as a user with the `cluster-admin` role.
|
|
|
|
* You have installed {zero-trust-full} in the cluster.
|
|
|
|
.Procedure
|
|
|
|
. Create the `SpireAgent` CR:
|
|
|
|
.. Create a YAML file that defines the `SpireAgent` CR, for example, `SpireAgent.yaml`:
|
|
+
|
|
.Example `SpireAgent.yaml`
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: SpireAgent
|
|
metadata:
|
|
name: cluster
|
|
spec:
|
|
socketPath: "/run/spire/agent-sockets"
|
|
logLevel: "info"
|
|
logFormat: "text"
|
|
nodeAttestor:
|
|
k8sPSATEnabled: "true"
|
|
workloadAttestors:
|
|
k8sEnabled: "true"
|
|
workloadAttestorsVerification:
|
|
type: "auto"
|
|
hostCertBasePath: "/etc/kubernetes"
|
|
hostCertFileName: "kubelet-ca.crt"
|
|
disableContainerSelectors: "false"
|
|
useNewContainerLocator: "true"
|
|
----
|
|
where:
|
|
|
|
name:: Must be named 'cluster'.
|
|
|
|
socketPath:: Specifies the directory on the host where the SPIRE agent socket is created. This directory is shared with the SPIFFE CSI driver via the `hostPath` volume. Must match the `SpiffeCSIDriver.spec.agentSocketPath` for workloads to access the socket. Must be an absolute path with a maximum length of 256 characters.
|
|
|
|
logLevel:: Specifies the logging level for the SPIRE Server. The valid options are `debug`, `info`, `warn`, and `error`.
|
|
|
|
logFormat:: Specifies the logging format for the SPIRE Server. The valid options are `text` and `json`.
|
|
|
|
k8sPSATEnabled:: Specifies whether Kubernetes Projected Service Account Token (PSAT) node attestation is enabled. When enabled, the SPIRE agent uses K8s PSATs to prove its identity to the SPIRE server during node attestation. The valid options are `true` and `false`.
|
|
|
|
k8sEnabled:: Specifies whether the Kubernetes workload attestor is enabled. When enabled, the SPIRE agent can verify workload identities using Kubernetes pod information and service account tokens. The valid options are `true` and `false`.
|
|
|
|
type:: Specifies the kubelet certificate verification mode. The valid options are `auto`, `hostCert`, and `skip`.
|
|
|
|
hostCertBasePath:: Specifies the directory containing the kubelet CA certificate. Required when type is `hostCert`. Optional when type is `auto` (defaults to /etc/kubernetes if not specified).
|
|
|
|
hostCertFileName:: Specifies the file name for the kubelet's CA certificate. When combined with `hostCertBasePath`, forms the full path. Required when type is `hostCert`. Optional when type is `auto`. Defaults to `kubelet-ca.crt` if not specified.
|
|
|
|
disableContainerSelectors:: Specifies whether to disable container selectors in the Kubernetes workload attestor. Set to `true` if using `holdApplicationUntilProxyStarts` in Istio. The valid options are `true` and `false`.
|
|
|
|
useNewContainerLocator:: Specifies enabling the new container locator algorithm that has support for cgroups v2. The valid options are `true` and `false`.
|
|
|
|
.. Apply the configuration by running the following command:
|
|
+
|
|
[source, terminal]
|
|
----
|
|
$ oc apply -f SpireAgent.yaml
|
|
----
|
|
|
|
.Verification
|
|
|
|
* Verify that the daemon set of the SPIRE Agent is ready and available by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get daemonset -l app.kubernetes.io/name=agent -n zero-trust-workload-identity-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
|
|
spire-agent 3 3 3 3 3 <none> 10m
|
|
----
|
|
|
|
* Verify that the status of SPIRE Agent pods is `Running` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get po -l app.kubernetes.io/name=agent -n zero-trust-workload-identity-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE
|
|
spire-agent-dp4jb 1/1 Running 0 12m
|
|
spire-agent-nvwjm 1/1 Running 0 12m
|
|
spire-agent-vtvlk 1/1 Running 0 12m
|
|
----
|