Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 2. Pod Security Admission
Red Hat OpenShift uses Pod Security Admission (PSA) to apply a set of security rules for application pods that are in the same Red Hat OpenShift cluster. In the context of Cryostat, these application pods include a Cryostat pod and a Report sidecar pod. Optionally, you can enable the Report sidecar pod on a Cryostat custom resource (CR). If an application does not meet the policy standards, the application cannot run in your Red Hat OpenShift cluster.
Red Hat OpenShift 4.8 deprecates the PodSecurityPolicy API and uses the PSA instead. The PSA provides the following benefits:
- Includes a built-in controller that can enforce pod security standards for your application pods.
-
Includes a set of pod security standards that define three different policies:
Privileged,Baseline, andRestricted.
On Red Hat OpenShift, you can use the PSA with security context constraints (SCCs) to define policies for an Red Hat OpenShift cluster. By default, the restricted-v2 SCC aligns with the Restricted pod security standard.
By default, the security context for a Cryostat pod conforms to the restricted-v2 SCC, which means that Red Hat OpenShift can admit the pod in namespaces that enforce the Restricted pod security standard.
The Restricted policy requires that the Red Hat build of Cryostat Operator configures the container security context as follows:
-
Drops
ALLcapabilities -
Sets
allowPrivilegeEscaltiontofalse
The Restricted policy requires that the Red Hat build of Cryostat Operator configures the pod security context as follows:
-
Sets
runAsNonRoottotrue -
Sets the
seccompProfiletoRuntimeDefault
Additionally, the Red Hat build of Cryostat Operator defines fsGroup in the pod security context for the Cryostat application pod, so that Cryostat can read and write to files in a persistent storage volume on Red Hat OpenShift.
If you have additional requirements beyond conforming to the Restricted pod security standard, you can override the default security contexts that Cryostat uses.
2.1. Configuring security contexts
You can specify pod and container security contexts in the Cryostat custom resource (CR) on Red Hat OpenShift. The security context applies permissions to the Cryostat pod, the Report sidecar pod (when it is in use), and the containers for each pod.
If you change the settings of the CR, these settings override the default security context settings.
A security context applies specific permissions to an application that exists in a pod. The security context cannot change the criteria of an SCC policy. You can create a custom SCC to instruct the Red Hat OpenShift cluster to enforce strict permissions on the pod, such as actions that the pod can perform or resources that the pod can access.
To create a custom SCC you must have cluster administration permissions. You must also create a security context for any pods that operate in the cluster, so that these pods meet the custom SCC requirements.
An SCC enforces changes at the Red Hat OpenShift cluster level and namespace level, so that any pods operating inside this cluster receive policy criteria. By contrast, a security context is unique to a pod.
By default, the Red Hat build of Cryostat Operator conforms to the restricted-v2 SCC policy for your Cryostat pod.
By default, the Red Hat build of Cryostat Operator creates a service account for Cryostat and its components, such as jfr-datasource and grafana.
To enable this service account to use a custom SCC, perform either of the following steps:
-
Create a
Role Bindingthat binds the Cryostat service account to a role thatusesyour custom SCC. -
Use a
Label Syncercomponent to instruct your project’s namespace to follow PSA policies.
The Label Syncer component is outside the scope of this document. You cannot use the Label Syncer component on Red Hat OpenShift system namespaces, which are usually prefixed with the openshift- tag.
Before you configure a security context to apply specific permissions to an application pod, consider the security risks that you might introduce to your cluster on Red Hat OpenShift. The PSA provides three gradient policy levels that typically meet most requirements. Red Hat does not take any responsibility for security context changes that do not align with the Red Hat OpenShift pod security standards.
Prerequisites
- Logged in to the OpenShift Container Platform by using the Red Hat OpenShift web console.
- Installed the Red Hat build of Cryostat Operator in a project on Red Hat OpenShift. See Installing Cryostat on Red Hat OpenShift by using a Red Hat build of Cryostat Operator (Installing Cryostat).
- Optional: Read the new PSA and new SCC policies. See Managing security context constraints (OpenShift Container Platform).
Optional: Configured your project to use one of the three polices that the PSA provides.
- If you want to use a custom SCC to enforce specific policies for your pod, you must configure the SCC to enable your pod’s service account to access it.
Procedure
- From the Red Hat OpenShift web console, click Operators > Installed Operators.
- From the list of available operators, select Red Hat build of Cryostat.
- Click Provided APIs > Create. The Red Hat build of Cryostat Operator does not create a service account for the Report sidecar pods. Instead, these pods use default service accounts in their own namespaces.
To configure a security context, complete one of the following options:
Click YAML view. From the
spec:element, edit thesecurityOptionsandreportOptionsproperties to match your security requirements.Example configuration for a security context
apiVersion: operator.cryostat.io/v1beta1 kind: Cryostat metadata: name: cryostat-sample spec: securityOptions: podSecurityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault coreSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsUser: 1001 dataSourceSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL grafanaSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL reportOptions: replicas: 1 podSecurityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault reportsSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsUser: 1001Expand Advanced Configurations to open additional options on your Red Hat OpenShift web console.
Figure 2.1. The Advanced configuration menu options
- Expand Core Security Context. From the available list of options, define settings for your security context.
- Click Create.
- Repeat step one through five for Data Source Security Context, Grafana Security Context, and Pod Security Context as appropriate.
Optional: If you are using the Report Generator service, you can also configure the security contexts for this service, as follows:
- From Report Options, expand Advanced Configurations.
- Expand Security Options. Define Reports Security Context and Pod Security Context as appropriate.
Additional resources
2.2. Pod Security Standard policies
The Pod Security Admission (PSA) includes three policies that cover security levels related to pod security standards. The following table explains each policy:
| Profile | Description |
|---|---|
|
| An unrestricted policy that provides a wide level of permissions for your Cryostat pod. Consider setting this policy if you need to provide known privilege escalations to your pods. |
|
|
Default policy that restricts known privileged escalations. The |
|
|
The |
