mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
112 lines
4.2 KiB
Plaintext
112 lines
4.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/seccomp-profiles.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
|
|
[id="verifying-default-seccomp-profile_{context}"]
|
|
= Verifying the default seccomp profile applied to a pod
|
|
|
|
{product-title} ships with a default seccomp profile that is referenced as `runtime/default`. In {product-version}, newly created pods have the Security Context Constraint (SCC) set to `restricted-v2` and the default seccomp profile applies to the pod.
|
|
|
|
.Procedure
|
|
|
|
. You can verify the Security Context Constraint (SCC) and the default seccomp profile set on a pod by running the following commands:
|
|
|
|
.. Verify what pods are running in the namespace:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pods -n <namespace>
|
|
----
|
|
+
|
|
For example, to verify what pods are running in the `workshop` namespace run the following:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pods -n workshop
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,terminal]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE
|
|
parksmap-1-4xkwf 1/1 Running 0 2m17s
|
|
parksmap-1-deploy 0/1 Completed 0 2m22s
|
|
----
|
|
+
|
|
.. Inspect the pods:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pod parksmap-1-4xkwf -n workshop -o yaml
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,terminal]
|
|
----
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
annotations:
|
|
k8s.v1.cni.cncf.io/network-status: |-
|
|
[{
|
|
"name": "ovn-kubernetes",
|
|
"interface": "eth0",
|
|
"ips": [
|
|
"10.131.0.18"
|
|
],
|
|
"default": true,
|
|
"dns": {}
|
|
}]
|
|
k8s.v1.cni.cncf.io/network-status: |-
|
|
[{
|
|
"name": "ovn-kubernetes",
|
|
"interface": "eth0",
|
|
"ips": [
|
|
"10.131.0.18"
|
|
],
|
|
"default": true,
|
|
"dns": {}
|
|
}]
|
|
openshift.io/deployment-config.latest-version: "1"
|
|
openshift.io/deployment-config.name: parksmap
|
|
openshift.io/deployment.name: parksmap-1
|
|
openshift.io/generated-by: OpenShiftWebConsole
|
|
openshift.io/scc: restricted-v2 <1>
|
|
seccomp.security.alpha.kubernetes.io/pod: runtime/default <2>
|
|
----
|
|
<1> The `restricted-v2` SCC is added by default if your workload does not have access to a different SCC.
|
|
<2> Newly created pods in {product-version} will have the seccomp profile configured to `runtime/default` as mandated by the SCC.
|
|
|
|
[id="upgraded_cluster_{context}"]
|
|
== Upgraded cluster
|
|
|
|
In clusters upgraded to {product-version} all authenticated users have access to the `restricted` and `restricted-v2` SCC.
|
|
|
|
A workload admitted by the SCC `restricted` for example, on a {product-title} v4.10 cluster when upgraded may get admitted by `restricted-v2`. This is because `restricted-v2` is the more restrictive SCC between `restricted` and `restricted-v2`.
|
|
[NOTE]
|
|
====
|
|
The workload must be able to run with `retricted-v2`.
|
|
====
|
|
|
|
Conversely with a workload that requires `privilegeEscalation: true` this workload will continue to have the `restricted` SCC available for any authenticated user. This is because `restricted-v2` does not allow `privilegeEscalation`.
|
|
|
|
[id="newly_installed_{context}"]
|
|
== Newly installed cluster
|
|
|
|
For newly installed {product-title} 4.11 or later clusters, the `restricted-v2` replaces the `restricted` SCC as an SCC that is available to be used by any authenticated user. A workload with `privilegeEscalation: true`, is not admitted into the cluster since `restricted-v2` is the only SCC available for authenticated users by default.
|
|
|
|
The feature `privilegeEscalation` is allowed by `restricted` but not by `restricted-v2`. More features are denied by `restricted-v2` than were allowed by `restricted` SCC.
|
|
|
|
A workload with `privilegeEscalation: true` may be admitted into a newly installed {product-title} 4.11 or later cluster. To give access to the `restricted` SCC to the ServiceAccount running the workload (or any other SCC that can admit this workload) using a RoleBinding run the following command:
|
|
|
|
[source,terminal]
|
|
----
|
|
$ oc -n <workload-namespace> adm policy add-scc-to-user <scc-name> -z <serviceaccount_name>
|
|
----
|
|
|
|
In {product-title} {product-version} the ability to add the pod annotations `seccomp.security.alpha.kubernetes.io/pod: runtime/default` and `container.seccomp.security.alpha.kubernetes.io/<container_name>: runtime/default` is deprecated.
|