Chapter 5. Additional security privileges granted for kubevirt-controller and virt-launcher
The kubevirt-controller and virt-launcher pods are granted some SELinux policies and Security Context Constraints privileges that are in addition to typical pod owners. These privileges enable virtual machines to use OpenShift Virtualization features.
5.1. Extended SELinux policies for virt-launcher pods
The container_t SELinux policy for virt-launcher pods is extended with the following rules:
-
allow process self (tun_socket (relabelfrom relabelto attach_queue)) -
allow process sysfs_t (file (write)) -
allow process hugetlbfs_t (dir (add_name create write remove_name rmdir setattr)) -
allow process hugetlbfs_t (file (create unlink))
These rules enable the following virtualization features:
- Relabel and attach queues to its own TUN sockets, which is required to support network multi-queue. Multi-queue enables network performance to scale as the number of available vCPUs increases.
-
Allows virt-launcher pods to write information to sysfs (
/sys) files, which is required to enable Single Root I/O Virtualization (SR-IOV). -
Read/write
hugetlbfsentries, which is required to support huge pages. Huge pages are a method of managing large amounts of memory by increasing the memory page size.
5.2. Additional OpenShift Container Platform security context constraints and Linux capabilities for the kubevirt-controller service account
Security context constraints (SCCs) control permissions for pods. These permissions include actions that a pod, a collection of containers, can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with in order to be accepted into the system.
The kubevirt-controller is a cluster controller that creates the virt-launcher pods for virtual machines in the cluster. These virt-launcher pods are granted permissions by the kubevirt-controller service account.
5.2.1. Additional SCCs granted to the kubevirt-controller service account
The kubevirt-controller service account is granted additional SCCs and Linux capabilities so that it can create virt-launcher pods with the appropriate permissions. These extended permissions allow virtual machines to take advantage of OpenShift Virtualization features that are beyond the scope of typical pods.
The kubevirt-controller service account is granted the following SCCs:
-
scc.AllowHostDirVolumePlugin = true
This allows virtual machines to use the hostpath volume plug-in. -
scc.AllowPrivilegedContainer = false
This ensures the virt-launcher pod is not run as a privileged container. -
scc.AllowedCapabilities = []corev1.Capability{"NET_ADMIN", "NET_RAW", "SYS_NICE"}
This provides the following additional Linux capabilitiesNET_ADMIN,NET_RAW, andSYS_NICE.
5.2.2. Viewing the SCC and RBAC definitions for the kubevirt-controller
You can view the SecurityContextConstraints definition for the kubevirt-controller by using the oc tool:
$ oc get scc kubevirt-controller -o yaml
You can view the RBAC definition for the kubevirt-controller clusterrole by using the oc tool:
$ oc get clusterrole kubevirt-controller -o yaml
5.3. Additional resources
- The Red Hat Enterprise Linux Virtualization Tuning and Optimization Guide has more information on network multi-queue and huge pages.
-
The
capabilitiesman page has more information on the Linux capabilities. -
The
sysfs(5)man page has more information on sysfs. - The OpenShift Container Platform Authentication guide has more information on Security Context Constraints.
