Cluster Security requirements

Before Installing a Kubernetes cluster, create a directory where all manifest files will be created.
# mkdir sccm-manifest-files
# cd sccm-manifest-files
Create a Kubernetes environment using the below command:
# kubectl create ns ibm-sccm
Create a namespace in OpenShift using following command
# oc new-project ibm-sccm --display-name 'IBM Streling Control Center'

Specific to OpenShift

  1. Invoke the following command to create a ibm-sccm-scc.yaml file.
    #ibm-sccm-scc.yaml
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
  ranges:
  - min: 1
    max: 4294967294
kind: SecurityContextConstraints
metadata:
  name: ibm-sccm-scc 
  labels:
    app: "ibm-sccm-scc"
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAsRange
  uidRangeMin: 1000
  uidRangeMax: 65535
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
  2. Invoke the following command to create a OpenShift Container Platform SCC file:
    # oc create -f ibm-sccm-scc.yaml
    Sample ibm-sccm-cr-scc.yaml file:
    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: "ibm-sccm-scc"
  labels:
    app: "ibm-sccm-scc"
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - ibm-sccm-scc
  resources:
  - securitycontextconstraints
  verbs:
  - use
  3. Invoke the following command to create a cluster role:
    # oc create -f ibm-sccm-cr-scc.yaml
    Sample cluster role binding file
    
# ibm-sccm-rb-scc.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: "ibm-sccm-scc"
  labels:
    app: "ibm-sccm-scc"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: "ibm-sccm-scc"
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts
  namespace: ibm-sccm
  4. Create cluster role binding using this below file.
    # oc create -f ibm-sccm-cr-scc.yaml