mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-06 06:46:26 +01:00
98 lines
2.4 KiB
Plaintext
98 lines
2.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/security_profiles_operator/spo-seccomp.adoc
|
|
// * security/security_profiles_operator/spo-selinux.adoc
|
|
|
|
ifeval::["{context}" == "spo-seccomp"]
|
|
:seccomp:
|
|
:type: seccomp
|
|
:kind: SeccompProfile
|
|
endif::[]
|
|
ifeval::["{context}" == "spo-selinux"]
|
|
:selinux:
|
|
:type: SELinux
|
|
:kind: SelinuxProfile
|
|
endif::[]
|
|
|
|
:_content-type: PROCEDURE
|
|
[id="spo-binding-workloads_{context}"]
|
|
= Binding workloads to profiles with ProfileBindings
|
|
|
|
You can use the `ProfileBinding` resource to bind a security profile to the `SecurityContext` of a container.
|
|
|
|
.Procedure
|
|
|
|
. To bind a pod that uses a `quay.io/security-profiles-operator/test-nginx-unprivileged:1.21` image to the example `{kind}` profile, create a `ProfileBinding` object in the same namespace with the pod and the `{kind}` objects:
|
|
+
|
|
[source,yaml,subs="attributes+"]
|
|
----
|
|
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
|
|
kind: ProfileBinding
|
|
metadata:
|
|
namespace: my-namespace
|
|
name: nginx-binding
|
|
spec:
|
|
profileRef:
|
|
kind: {kind} <1>
|
|
name: profile <2>
|
|
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
|
|
----
|
|
<1> The `kind:` variable refers to the name of the profile.
|
|
<2> The `name:` variable refers to the name of the profile.
|
|
|
|
. Label the namespace with `enable-binding=true` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc label ns my-namespace spo.x-k8s.io/enable-binding=true
|
|
----
|
|
|
|
. Delete and re-create the pod to use the `ProfileBinding` object:
|
|
+
|
|
[source,terminal,subs="attributes+"]
|
|
----
|
|
$ oc delete pods test-pod && oc create -f pod01.yaml
|
|
----
|
|
|
|
.Verification
|
|
|
|
ifdef::seccomp[]
|
|
* Confirm the pod inherits the `ProfileBinding` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seccompProfile}'
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
{"localhostProfile":"operator/my-namespace/profile.json","type":"Localhost"}
|
|
----
|
|
endif::[]
|
|
ifdef::selinux[]
|
|
* Confirm the pod inherits the `ProfileBinding` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seLinuxOptions.type}'
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
profile_nginx-binding.process
|
|
----
|
|
endif::[]
|
|
|
|
|
|
ifeval::["{context}" == "spo-seccomp"]
|
|
:!seccomp:
|
|
:!type:
|
|
:!kind:
|
|
endif::[]
|
|
ifeval::["{context}" == "spo-selinux"]
|
|
:!selinux:
|
|
:!type:
|
|
:!kind:
|
|
endif::[] |