Creating security context constraints for OpenShift Cluster

  • The IBM Connect:Direct for Unix chart requires an SecurityContextConstraints (SCC) to be tied to the target namespace prior to deployment.
    Based on your organization security policy, you may need to decide the security context constraints for your OpenShift cluster.
    This chart has been verified on privileged SCC which comes with Redhat OpenShift. For more info, please refer this link. This chart defines a custom SCC which is the minimum set of permissions/capabilities needed to deploy this chart and the Connect Direct for Unix container to function properly. It is based on the predefined restricted SCC with extra required privileges. This is the recommended SCC for this chart and it can be created on the cluster by cluster administrator. The SCC and cluster role for this chart is defined below. The cluster administrator can either use the snippets given below or the scripts provided in the Helm chart to create the SCC, cluster role and tie it to the project where deployment will be performed. In both the cases, same SCC and cluster role will be created. It is recommended to use the scripts in the Helm chart so that required SCC and cluster role is created without any issue.
  • Below is the Custom SecurityContextConstraints definition that the cluster admin can use
    apiVersion: security.openshift.io/v1
    kind: SecurityContextConstraints
    metadata:
      name: ibm-connect-direct-scc
      labels:
        app: "ibm-connect-direct-scc"
    allowHostDirVolumePlugin: false
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    privileged: false
    allowPrivilegeEscalation: true
    allowedCapabilities:
    - FOWNER
    - SETUID
    - SETGID
    - DAC_OVERRIDE
    - CHOWN
    - IPC_OWNER
    - IPC_LOCK
    - SYS_CHROOT
    - AUDIT_WRITE
    defaultAddCapabilities: []
    defaultAllowPrivilegeEscalation: false
    forbiddenSysctls:
    - "*"
    fsGroup:
      type: MustRunAs
      ranges:
      - min: 1
        max: 4294967294
    readOnlyRootFilesystem: false
    requiredDropCapabilities: []
    runAsUser:
      type: MustRunAsNonRoot
    seLinuxContext:
      type: RunAsAny
    supplementalGroups:
      type: RunAsAny
      ranges:
      - min: 1
        max: 4294967294
    volumes:
    - configMap
    - downwardAPI
    - persistentVolumeClaim
    - projected
    - secret
    - nfs
  • Custom ClusterRole for the custom SecurityContextConstraints
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: "ibm-connect-direct-scc"
      labels:
        app: "ibm-connect-direct-scc"
    rules:
    - apiGroups:
      - security.openshift.io
      resourceNames:
      - ibm-connect-direct-scc
      resources:
      - securitycontextconstraints
      verbs:
      - use
  • From the command line, you can run the setup scripts included in the Helm chart (untar the downloaded Helm chart archive).
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh <Project name where deployment will be perfromed>
    Note: If the above scripts are not executable, you will need to make the scripts executable by executing following commands:
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/
    createSecurityNamespacePrereqs.sh
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/
    createSecurityClusterPrereqs.sh