Security in Informix
Informix on Cloud Pak for Data supports Transport Layer Security (TLS) to encrypt data in transit and Encryption at rest to encrypt data at rest.
Encryption of data in motion
In order to protect all personal data being exchanged to the Informix server, Informix on Cloud Pak for Data encrypts the communication to and from Informix by implementing secure communications using Transport Layer Security (TLS).
Encryption of data at rest
In addition, Encryption at rest (EAR) is used to protect database files and transaction logs while they are at rest on the storage media.
Passive encryption
The database storage is actively encrypted by the Informix server as described in "Encryption of data at rest". Hence, additional passive encryption of this storage is not required.
Passive encryption must not be used as long as the Informix instance is online, because the information would otherwise not be accessible for the Informix server. In theory you could encrypt the database storage as long as the instance is offline and provided that it is decrypted before it is brought online. That is not a recommended practice, though.
SCC Capabilities
The security context constraints (SCC) for Informix have the following capabilities:
- SYS_RESOURCE
- Allows manipulation of reservations, memory allocations and resource limits. Maximum memory allocation is still constrained by the memory cgroup (memcg) limit which cannot be overridden by this sys-capability. The Informix database engine needs this sys-capability to increase the resource limits (IE.ulimits).
- IPC_OWNER
- Bypasses permission checks for operations on IPC objects. Even when the IPC kernel parameters are set to maximum values on the hosts/worker nodes, the Informix engine still tries to dynamically throttle those values. This system capability is provided in addition to sharing IPC namespace with the host.
- SYS_NICE
- Allows changing process priorities. Because each container has its own PID namespace, this capability only applies to that container. The Informix database engine relies on process thread prioritization to ensure that Work Load Management (WLM) and Fast Communications Manager (FCM) processing is prioritized over generic agent work.
- CHOWN
- Necessary to run chown to change ownership of files/directories in persistent volumes.
- DAC_OVERRIDE
- Bypasses permission checks for file read, write, and execute.
- FSETID
- Prevents the clearing of the setuid and setgid mode bits when a file is modified.
- FOWNER
- Bypasses permission checks on operations that normally require the filesystem UID of the process to match the UID of the file (for example, chmod(2), utime(2)), excluding those operations that are covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH.
- SETGID
- Necessary to run Informix engine processes with escalated group privileges.
- SETUID
- Necessary to run Informix engine processes with escalated user privileges.
- SETFCAP
- Used to set capabilities on files.
- SETPCAP
- Used to set capabilities on processes.
- NET_BIND_SERVICE
- Required for various services to bind to IP domain privileged ports.
- SYS_CHROOT
- Necessary to use the chroot command.
- KILL
- Bypasses permission checks for sending signals. Necessary for signal handling during process management.
- AUDIT_WRITE
- Required to write records to the kernel auditing log when SELinux is enabled.
Role-binding access control
The informix ServiceAccount and associated ibm-informix-operator Role are necessary for pod-to-pod control and communication for a successful deployment. The resources and verbs are outlined below:
rules:
- apiGroups: [""]
resources: ["pods","services","services/finalizers","endpoints","persistentvolumeclaims","events","configmaps","secrets","HorizontalPodAutoscaler"]
verbs: ["create","delete","get","list","patch","update","watch"
- apiGroups: ["apps"]
resources: ["deployments","daemonsets","replicasets","StatefulSets"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["monitoring.coreos.com"]
resources: ["servicemonitors"]
verbs: ["get","create"]
- apiGroups: ["apps"]
resources: ["deployments/finalizers"]
verbs: ["update"]
- apiGroups: ["ifx.ibm.com"]
resources: ["'*'","informixes","informixcms","monitors","wlisteners","cpdapis"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["batch"]
resources: ["cronjobs","jobs"]
verbs: ["create","delete","get","list","watch","update"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["certmanager.k8s.io"]
resources: ["certificates","issuers"]
verbs: ["create","get","update","delete","patch","list","watch"]
- apiGroups: ["security.openshift.io"]
resources: ["securitycontextconstraints"]
verbs: ["use"]
Hostpath requirements
The /proc and /proc/sys volumes must be mounted into an init container to either set or validate the required IPC kernel parameters for Informix. Hostpath volumes are also supported for single-node Informix deployments.