Questo contenuto non è disponibile nella lingua selezionata.

Chapter 11. Configuring seccomp profiles


An OpenShift Container Platform container or a pod runs a single application that performs one or more well-defined tasks. The application usually requires only a small subset of the underlying operating system kernel APIs. Seccomp, secure computing mode, is a Linux kernel feature that can be used to limit the process running in a container to only call a subset of the available system calls. These system calls can be configured by creating a profile that is applied to a container or pod. Seccomp profiles are stored as JSON files on the disk.

Important

OpenShift workloads run unconfined by default, without any seccomp profile applied.

Important

Seccomp profiles cannot be applied to privileged containers.

11.1. Enabling the default seccomp profile for all pods

OpenShift Container Platform ships with a default seccomp profile that is referenced as runtime/default. You can enable the default seccomp profile for a pod or container workload by creating a custom Security Context Constraint (SCC).

Note

There is a requirement to create a custom SCC. Do not edit the default SCCs. Editing the default SCCs can lead to issues when some of the platform pods deploy or OpenShift Container Platform is upgraded. For more information, see the section entitled "Default security context constraints".

Follow these steps to enable the default seccomp profile for all pods:

  1. Export the available restricted SCC to a yaml file:

    $ oc get scc restricted -o yaml > restricted-seccomp.yaml
  2. Edit the created restricted SCC yaml file:

    $ vi restricted-seccomp.yaml
  3. Update as shown in this example:

    kind: SecurityContextConstraints
    metadata:
      name: restricted  1
    <..snip..>
    seccompProfiles:    2
    - runtime/default   3
    1
    Change to restricted-seccomp
    2
    Add seccompProfiles:
    3
    Add - runtime/default
  4. Create the custom SCC:

    $ oc create -f restricted-seccomp.yaml

    Expected output

    securitycontextconstraints.security.openshift.io/restricted-seccomp created

  5. Add the custom SCC to the ServiceAccount:

    $ oc adm policy add-scc-to-user restricted-seccomp -z default
    Note

    The default service account is the ServiceAccount that is applied unless the user configures a different one. OpenShift Container Platform configures the seccomp profile of the pod based on the information in the SCC.

    Expected output

    clusterrole.rbac.authorization.k8s.io/system:openshift:scc:restricted-seccomp added: "default"

In OpenShift Container Platform 4.10 the ability to add the pod annotations seccomp.security.alpha.kubernetes.io/pod: runtime/default and container.seccomp.security.alpha.kubernetes.io/<container_name>: runtime/default is deprecated.

11.2. Configuring a custom seccomp profile

You can configure a custom seccomp profile, which allows you to update the filters based on the application requirements. This allows cluster administrators to have greater control over the security of workloads running in OpenShift Container Platform.

11.2.1. Setting up the custom seccomp profile

Prerequisite

  • You have cluster administrator permissions.
  • You have created a custom security context constraints (SCC). For more information, see "Additional resources".
  • You have created a custom seccomp profile.

Procedure

  1. Upload your custom seccomp profile to /var/lib/kubelet/seccomp/<custom-name>.json by using the Machine Config. See "Additional resources" for detailed steps.
  2. Update the custom SCC by providing reference to the created custom seccomp profile:

    seccompProfiles:
    - localhost/<custom-name>.json 1
    1
    Provide the name of your custom seccomp profile.

11.2.2. Applying the custom seccomp profile to the workload

Prerequisite

  • The cluster administrator has set up the custom seccomp profile. For more details, see "Setting up the custom seccomp profile".

Procedure

  • Apply the seccomp profile to the workload by setting the securityContext.seccompProfile.type field as following:

    Example

    spec:
      securityContext:
        seccompProfile:
          type: Localhost
          localhostProfile: <custom-name>.json 1

    1
    Provide the name of your custom seccomp profile.

    Alternatively, you can use the pod annotations seccomp.security.alpha.kubernetes.io/pod: localhost/<custom-name>.json. However, this method is deprecated in OpenShift Container Platform 4.10.

During deployment, the admission controller validates the following:

  • The annotations against the current SCCs allowed by the user role.
  • The SCC, which includes the seccomp profile, is allowed for the pod.

If the SCC is allowed for the pod, the kubelet runs the pod with the specified seccomp profile.

Important

Ensure that the seccomp profile is deployed to all worker nodes.

Note

The custom SCC must have the appropriate priority to be automatically assigned to the pod or meet other conditions required by the pod, such as allowing CAP_NET_ADMIN.

11.3. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.