Creating security context constraints for OpenShift Cluster
- The IBM Connect:Direct for Unix chart requires an SecurityContextConstraints (SCC) to be tied to
the target namespace prior to
deployment.Based on your organization security policy, you may need to decide the security context constraints for your OpenShift cluster.This chart has been verified on privileged SCC which comes with Redhat OpenShift. For more info, please refer this link. This chart defines a custom SCC which is the minimum set of permissions/capabilities needed to deploy this chart and the Connect Direct for Unix container to function properly. It is based on the predefined restricted SCC with extra required privileges. This is the recommended SCC for this chart and it can be created on the cluster by cluster administrator. The SCC and cluster role for this chart is defined below. The cluster administrator can either use the snippets given below or the scripts provided in the Helm chart to create the SCC, cluster role and tie it to the project where deployment will be performed. In both the cases, same SCC and cluster role will be created. It is recommended to use the scripts in the Helm chart so that required SCC and cluster role is created without any issue.
- Below is the Custom
SecurityContextConstraints
definition that the cluster admin can useapiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: ibm-connect-direct-scc labels: app: "ibm-connect-direct-scc" allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false privileged: false allowPrivilegeEscalation: true allowedCapabilities: - FOWNER - SETUID - SETGID - DAC_OVERRIDE - CHOWN - IPC_OWNER - IPC_LOCK - SYS_CHROOT - AUDIT_WRITE defaultAddCapabilities: [] defaultAllowPrivilegeEscalation: false forbiddenSysctls: - "*" fsGroup: type: MustRunAs ranges: - min: 1 max: 4294967294 readOnlyRootFilesystem: false requiredDropCapabilities: [] runAsUser: type: MustRunAsNonRoot seLinuxContext: type: RunAsAny supplementalGroups: type: RunAsAny ranges: - min: 1 max: 4294967294 volumes: - configMap - downwardAPI - persistentVolumeClaim - projected - secret - nfs
- Custom ClusterRole for the custom
SecurityContextConstraints
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: "ibm-connect-direct-scc" labels: app: "ibm-connect-direct-scc" rules: - apiGroups: - security.openshift.io resourceNames: - ibm-connect-direct-scc resources: - securitycontextconstraints verbs: - use
- From the command line, you can run the setup scripts included in the Helm chart (untar the
downloaded Helm chart archive).
ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh <Project name where deployment will be perfromed>
Note: If the above scripts are not executable, you will need to make the scripts executable by executing following commands:ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/ createSecurityNamespacePrereqs.sh
ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/ createSecurityClusterPrereqs.sh