Creating security context constraints for OpenShift Cluster
- The IBM Sterling Secure Proxy chart requires an SecurityContextConstraints (SCC) to be tied to the target namespace prior to deployment. Based on your organization security policy, you may need to decide the security context constraints for your OpenShift cluster. This chart has been verified on privileged SCC which comes with Redhat OpenShift. For more info, please refer Managing Security Constraints. This chart defines a custom SCC which is the minimum set of permissions/capabilities needed to deploy this chart and the SSP container to function properly. It is based on the predefined restricted SCC with extra required privileges. This is the recommended SCC for this chart and it can be created on the cluster by cluster administrator. The SCC and cluster role for this chart is defined below. The cluster administrator can either use the snippets given below or the scripts provided in the Helm chart to create the SCC, cluster role and tie it to the project where deployment will be performed. In both the cases, same SCC and cluster role will be created. It is recommended to use the scripts in the Helm chart so that required SCC and cluster role is created without any issue.
- The cluster admin can use the following Custom Configuration Manager SecurityContextConstraints
definition:
apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: ibm-ssp-cm-scc labels: app: "ibm-ssp-cm-scc" allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false privileged: false allowPrivilegeEscalation: true requiredDropCapabilities: - KILL - MKNOD - SETFCAP - FSETID - NET_BIND_SERVICE - SYS_CHROOT - SETPCAP - NET_RAW allowedCapabilities: - FOWNER - CHOWN - SETGID - SETUID - DAC_OVERRIDE defaultAddCapabilities: [] defaultAllowPrivilegeEscalation: false forbiddenSysctls: - "*" fsGroup: type: MustRunAs ranges: - min: 1 max: 4294967294 readOnlyRootFilesystem: false runAsUser: type: MustRunAsNonRoot seLinuxContext: type: RunAsAny supplementalGroups: type: RunAsAny ranges: - min: 1 max: 4294967294 volumes: - configMap - downwardAPI - persistentVolumeClaim - projected - secret - nfs
- The cluster admin can use the following Custom Engine SecurityContextConstraints
definition:
apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: ibm-ssp-engine-scc labels: app: "ibm-ssp-engine-scc" allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false privileged: false allowPrivilegeEscalation: true requiredDropCapabilities: - KILL - MKNOD - SETFCAP - FSETID - NET_BIND_SERVICE - SYS_CHROOT - SETPCAP - NET_RAW allowedCapabilities: - FOWNER - CHOWN - SETGID - SETUID - DAC_OVERRIDE defaultAddCapabilities: [] defaultAllowPrivilegeEscalation: false forbiddenSysctls: - "*" fsGroup: type: MustRunAs ranges: - min: 1 max: 4294967294 readOnlyRootFilesystem: false runAsUser: type: MustRunAsNonRoot seLinuxContext: type: RunAsAny supplementalGroups: type: RunAsAny ranges: - min: 1 max: 4294967294 volumes: - configMap - downwardAPI - persistentVolumeClaim - projected - secret - nfs
- The cluster admin can use the following Custom Perimeter Server SecurityContextConstraints
definition:
apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: ibm-ssp-ps-scc labels: app: "ibm-ssp-ps-scc" allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false privileged: false allowPrivilegeEscalation: true requiredDropCapabilities: - KILL - MKNOD - SETFCAP - FSETID - NET_BIND_SERVICE - SYS_CHROOT - SETPCAP - NET_RAW allowedCapabilities: - FOWNER - CHOWN - SETGID - SETUID - DAC_OVERRIDE defaultAddCapabilities: [] defaultAllowPrivilegeEscalation: false forbiddenSysctls: - "*" fsGroup: type: MustRunAs ranges: - min: 1 max: 4294967294 readOnlyRootFilesystem: false runAsUser: type: MustRunAsNonRoot seLinuxContext: type: RunAsAny supplementalGroups: type: RunAsAny ranges: - min: 1 max: 4294967294 volumes: - configMap - downwardAPI - persistentVolumeClaim - projected - secret - nfs
- Custom ClusterRole for the custom Configuration Manager
SecurityContextConstraints
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-ssp-cm-scc" labels: app: "ibm-ssp-cm-scc" rules: - apiGroups: - security.openshift.io resourceNames: - ibm-ssp-cm-scc resources: - securitycontextconstraints verbs: - use
- Custom ClusterRole for the custom Engine
SecurityContextConstraints
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-ssp-engine-scc" labels: app: "ibm-ssp-engine-scc" rules: - apiGroups: - security.openshift.io resourceNames: - ibm-ssp-engine-scc resources: - securitycontextconstraints verbs: - use
- Custom ClusterRole for the custom Perimeter Server SecurityContextConstraints
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-ssp-ps-scc" labels: app: "ibm-ssp-ps-scc" rules: - apiGroups: - security.openshift.io resourceNames: - ibm-ssp-ps-scc resources: - securitycontextconstraints verbs: - use
- From the command line, you can run the setup scripts included in the Helm chart (untar the
downloaded Helm chart archive).
<chart-name>/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
<chart-name>/ibm_cloud_pak/pak_extensions/pre- install/namespaceAdministration/createSecurityNamespacePrereqs.sh <Project name where deployment will be perfromed>
Note: If the above scripts are not executable, you will need to make the scripts executable by executing following commands:chmod u+x <chart-name>/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
chmod u+x <chart-name>/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh