Running DataPower containers as root user

By default, DataPower containers run as a non-root user. However, there are certain features within DataPower that require root privileges, such as SSH and SFTP. To allow these features to work, the DataPower container must be run as root user.

As a best practice, workloads which need root privilege should be isolated from the rest. For example, if a single Multi-Protocol Gateway (MPGW) service in DataPower relies on SFTP, then it should be deployed in a separate DataPowerService instance running as root user. All other services which do not require root privilege should be deployed in a different DataPowerService which runs using default security constraints.

Kubernetes

The DataPowerService spec property runAsRoot can be enabled to run the DataPower containers as root user on Kubernetes. Unless custom security constraints are configured in the namespace, this should work without any additional configuration required. If there are custom security constraints in the namespace which prevent this, work with your Kubernetes admins to determine the best approach for deploying a root-enabled workload.

OpenShift

In OpenShift, by default, the runAsRoot toggle will not work without additional configuration. To allow this to work, a custom SecurityContextConstraint must be applied.

Custom SecurityContextConstraint

Copy the below YAML, and apply it to your OCP cluster as a prerequisite to enabling runAsRoot in the DataPowerService.

YAML

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: 'Custom SCC for running IBM DataPower Gateway pods as root user'
  creationTimestamp: null
  name: datapower-root
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities:
- '*'
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

Apply

oc apply -f datapower-root.yaml

Service Account

The DataPower Operator will automatically configure the default Service Account to bind to the above datapower-root SCC if runAsRoot is enabled in the DataPowerService. However, if you are using a custom ServiceAccount (serviceAccountName), you must manually link this Service Account with the SCC.

oc adm policy add-scc-to-user datapower-root -z <your-service-account>