Creating security context constraints for Red Hat OpenShift Cluster

  • The IBM Connect:Direct for Unix chart requires an SecurityContextConstraints (SCC) to be tied to the target namespace prior to deployment.
    Based on your organization security policy, you may need to decide the security context constraints for your OpenShift cluster. This chart has been verified on privileged SCC which comes with Redhat OpenShift. For more info, please refer to this link.
    IBM CCS requires a custom SCC which is the minimum set of permissions/capabilities needed to deploy this helm chart and the Connect Direct for Unix services to function properly. It is based on the predefined restricted SCC with extra required privileges. This is the recommended SCC for this chart and it can be created by the cluster administrator. The cluster administrator can either use the snippets given below or the scripts provided in the Helm chart to create the SCC, cluster role and tie it to the project where deployment will be performed. In both the cases, same SCC and cluster role will be created. It is recommended to use the scripts in the Helm chart so that required SCC and cluster role is created without any issue.
    Attention: If Ordinary User Mode feature is enabled, PSP will be slightly different. Fore more information, look for the SCC below.
  • Below is the Custom SecurityContextConstraints snippet for CDU operating in Ordinary User Mode. Fore more information, refer to Ordinary User Mode in IBM Connect:Direct for Unix Containers.
    apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: ibm-connect-direct-scc
  labels:  
    app: "ibm-connect-direct-scc"
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowPrivilegeEscalation: true
allowedCapabilities:
- SETUID
- SETGID
- DAC_OVERRIDE
- AUDIT_WRITE
defaultAddCapabilities: []
defaultAllowPrivilegeEscalation: false
forbiddenSysctls:
- "*"
fsGroup:  
  type: MustRunAs
  ranges:
  - min: 1
  max: 4294967294
  readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
  seLinuxContext:
  type: MustRunAs
  supplementalGroups:
  type: MustRunAs
ranges:
  - min: 1
  max: 4294967294
volumes:
- configMap
- downwardAPI
- emptyDir
- nfs
- persistentVolumeClaim
- projected
- secret
priority: 0
  • Below is the Custom SecurityContextConstraints snippet for CDU operating in Super User Mode.
    apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: ibm-connect-direct-scc
  labels:
    app: "ibm-connect-direct-scc"
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowPrivilegeEscalation: true
allowedCapabilities:
- FOWNER
- SETUID
- SETGID
- DAC_OVERRIDE
- CHOWN
- SYS_CHROOT
- AUDIT_WRITE
defaultAddCapabilities: []
defaultAllowPrivilegeEscalation: false
forbiddenSysctls:
- "*"
fsGroup:
  type: MustRunAs
  ranges:
  - min: 1
    max: 4294967294
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: MustRunAs
  ranges:
  - min: 1
    max: 4294967294
volumes:
- configMap
- downwardAPI
- emptyDir
- nfs
- persistentVolumeClaim
- projected
- secret
   priority: 0
  • Custom ClusterRole for the custom SecurityContextConstraints
    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: "ibm-connect-direct-scc"
  labels:
    app: "ibm-connect-direct-scc"
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - ibm-connect-direct-scc
  resources:
  - securitycontextconstraints
  verbs:
  - use
  • From the command line, you can run the setup scripts included in the Helm chart (untar the downloaded Helm chart archive).
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/createSecurityClusterPrereqs.sh
<pass 0 or 1 to disable/enable OUM feature>
    ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/createSecurityNamespacePrereqs.sh <Project name where deployment will be perfromed>
    Note: If the above scripts are not executable, you will need to make the scripts executable by executing following commands:
    chmod u+x ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/namespaceAdministration/
createSecurityNamespacePrereqs.sh
    chmod u+x ibm-connect-direct/ibm_cloud_pak/pak_extensions/pre-install/clusterAdministration/
createSecurityClusterPrereqs.sh