- 23 Jan 2023
- 1 Minute to read
eBPF with SCC on OpenShift
- Updated on 23 Jan 2023
- 1 Minute to read
Red Hat's OpenShift is a cloud development Platform as a Service (Paas) Kubernetes platform that helps developers to build applications. It offers automated installation, upgrades, and life cycle management throughout the container stack, that is, the operating system, Kubernetes, and cluster services, and application. The topic provides Helm and Terraform values for Traceable's eBPF agent with OpenShift's Security context constraints (SCC). SCC allows administrators to control permissions for pods. For more information on Security Context Constraint, see Managing Security Context Constraints.
Before you proceed to configure Helm or Terraform values for SCC in OpenShift environment, make sure that Traceable's eBPF agent is already installed. For more information on deployment, see eBPF.
The following table provides Helm and Terraform values for SCC on OpenShift.
Creates Traceable security context constraint (recommended for OpenShift deployments).
Create Traceable security context constraint (SCC) for Terraform deployments
As mentioned in the table above, there is no option to create Traceable security context constraint if you are using Terraform for deploying eBPF solution in an OpenShift environment. In such a case, use the following
yaml file to create the security context constraint.
# Source: traceable-agent-scc.yaml kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata: name: traceable-agent-scc namespace: traceableai labels: app.kubernetes.io/name: traceable-agent app.kubernetes.io/instance: traceableai allowPrivilegedContainer: false allowPrivilegeEscalation: false allowHostDirVolumePlugin: true allowHostIPC: true allowHostNetwork: true allowHostPID: true allowHostPorts: true readOnlyRootFilesystem: false runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny fsGroup: type: RunAsAny groups: - system:nodes supplementalGroups: type: RunAsAny users: - system:serviceaccount:traceableai:traceable-agent-service-account volumes: - configMap - secret - emptyDir - hostPath - projected allowedCapabilities: - IPC_LOCK - SYS_ADMIN - SYS_CHROOT - SYS_RESOURCE - SYS_PTRACE - SETFCAP requiredDropCapabilities: - DAC_READ_SEARCH - LINUX_IMMUTABLE - NET_BROADCAST - NET_ADMIN - NET_RAW - IPC_OWNER - SYS_MODULE - SYS_RAWIO - SYS_PACCT - SYS_BOOT - SYS_NICE - SYS_TIME - SYS_TTY_CONFIG - MKNOD - LEASE - AUDIT_WRITE - AUDIT_CONTROL - MAC_OVERRIDE - MAC_ADMIN - SYSLOG - WAKE_ALARM - BLOCK_SUSPEND - AUDIT_READ - PERFMON - BPF
If you have configured
ebpf_run_as_privileged=true in the Terraform variables while deploying the Traceable Platform agent, then configure the following two variables also in the YAML file:
truegives higher privileges to a pod and allows it to perform operations that are otherwise restricted. For more information, see About Security Context Constraints.
Enter the following command to apply the manifest:
kubectl apply -f traceable-agent-scc.yaml