Running DataPower containers as root user
By default, DataPower containers run as a non-root user. However, there are certain features within DataPower that require root privileges, such as SSH and SFTP. To allow these features to work, the DataPower container must be run as root user.
As a best practice, workloads which need root privilege should be isolated from the rest. For example, if a single Multi-Protocol Gateway (MPGW) service in DataPower relies on SFTP, then it should be deployed in a separate DataPowerService instance running as root user. All other services which do not require root privilege should be deployed in a different DataPowerService which runs using default security constraints.
Kubernetes
The DataPowerService spec property runAsRoot
can be enabled to run the DataPower containers as root user on Kubernetes. Unless custom security constraints are configured
in the namespace, this should work without any additional configuration required. If there are custom security constraints in the namespace which prevent this, work with your Kubernetes admins to determine the best approach for deploying a
root-enabled workload.
OpenShift
In OpenShift, by default, the runAsRoot
toggle will not work without additional configuration. To allow this to work, a custom SecurityContextConstraint
must be applied.
Custom SecurityContextConstraint
Copy the below YAML, and apply it to your OCP cluster as a prerequisite to enabling runAsRoot
in the DataPowerService.
YAML
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: 'Custom SCC for running IBM DataPower Gateway pods as root user'
creationTimestamp: null
name: datapower-root
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- '*'
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
Apply
oc apply -f datapower-root.yaml
Service Account
The DataPower Operator will automatically configure the default Service Account to bind to the above datapower-root
SCC if runAsRoot
is enabled
in the DataPowerService. However, if you are using a custom ServiceAccount (serviceAccountName
), you must manually link this Service Account with
the SCC.
oc adm policy add-scc-to-user datapower-root -z <your-service-account>