Questo contenuto non è disponibile nella lingua selezionata.

Chapter 6. Additional security privileges granted for kubevirt-controller and virt-launcher


The kubevirt-controller and virt-launcher pods are granted some SELinux policies and Security Context Constraints privileges that are in addition to typical pod owners. These privileges enable virtual machines to use OpenShift Virtualization features.

6.1. Extended SELinux policies for virt-launcher pods

The container_t SELinux policy for virt-launcher pods is extended to enable essential functions of OpenShift Virtualization.

  • The following policy is required for network multi-queue, which enables network performance to scale as the number of available vCPUs increases:

    • allow process self (tun_socket (relabelfrom relabelto attach_queue))
  • The following policy allows virt-launcher to read files under the /proc directory, including /proc/cpuinfo and /proc/uptime:

    • allow process proc_type (file (getattr open read))
  • The following policy allows libvirtd to relay network-related debug messages.

    • allow process self (netlink_audit_socket (nlmsg_relay))

      Note

      Without this policy, any attempt to relay network debug messages is blocked. This might fill the node’s audit logs with SELinux denials.

  • The following policies allow libvirtd to access hugetblfs, which is required to support huge pages:

    • allow process hugetlbfs_t (dir (add_name create write remove_name rmdir setattr))
    • allow process hugetlbfs_t (file (create unlink))
  • The following policies allow virtiofs to mount filesystems and access NFS:

    • allow process nfs_t (dir (mounton))
    • allow process proc_t (dir (mounton))
    • allow process proc_t (filesystem (mount unmount))

6.2. Additional OpenShift Container Platform security context constraints and Linux capabilities for the kubevirt-controller service account

Security context constraints (SCCs) control permissions for pods. These permissions include actions that a pod, a collection of containers, can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run with to be accepted into the system.

The kubevirt-controller is a cluster controller that creates the virt-launcher pods for virtual machines in the cluster. These virt-launcher pods are granted permissions by the kubevirt-controller service account.

6.2.1. Additional SCCs granted to the kubevirt-controller service account

The kubevirt-controller service account is granted additional SCCs and Linux capabilities so that it can create virt-launcher pods with the appropriate permissions. These extended permissions allow virtual machines to take advantage of OpenShift Virtualization features that are beyond the scope of typical pods.

The kubevirt-controller service account is granted the following SCCs:

  • scc.AllowHostDirVolumePlugin = true
    This allows virtual machines to use the hostpath volume plugin.
  • scc.AllowPrivilegedContainer = false
    This ensures the virt-launcher pod is not run as a privileged container.
  • scc.AllowedCapabilities = []corev1.Capability{"NET_ADMIN", "NET_RAW", "SYS_NICE"}
    This provides the following additional Linux capabilities NET_ADMIN, NET_RAW, and SYS_NICE.

6.2.2. Viewing the SCC and RBAC definitions for the kubevirt-controller

You can view the SecurityContextConstraints definition for the kubevirt-controller by using the oc tool:

$ oc get scc kubevirt-controller -o yaml

You can view the RBAC definition for the kubevirt-controller clusterrole by using the oc tool:

$ oc get clusterrole kubevirt-controller -o yaml

6.3. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.