- 11 Apr 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
eBPF with SCC on OpenShift
- Updated on 11 Apr 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Red Hat's OpenShift is a cloud development Platform as a Service (Paas) Kubernetes platform that helps developers to build applications. It offers automated installation, upgrades, and life cycle management throughout the container stack, that is, the operating system, Kubernetes, and cluster services, and application. The topic provides Helm and Terraform values for Traceable's eBPF agent with OpenShift's Security context constraints (SCC). SCC allows administrators to control permissions for pods. For more information on Security Context Constraint, see Managing Security Context Constraints.
Before you proceed to configure Helm or Terraform values for SCC in OpenShift environment, make sure that Traceable's eBPF agent is already installed. For more information on deployment, see eBPF.
The following table provides Helm and Terraform values for SCC on OpenShift.
Helm value | Terraform variable | Type | Default value | Description |
---|---|---|---|---|
|
|
|
| This enables |
|
|
| " | Sets |
|
|
| " | Sets |
|
|
| " | Sets |
| - |
|
| Creates Traceable security context constraint (recommended for OpenShift deployments). |
Create Traceable security context constraint (SCC) for Terraform deployments
As mentioned in the table above, there is no option to create Traceable security context constraint if you are using Terraform for deploying eBPF solution in an OpenShift environment. In such a case, use the following yaml
file to create the security context constraint.
# Source: traceable-agent-scc.yaml
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: traceable-agent-scc
namespace: traceableai
labels:
app.kubernetes.io/name: traceable-agent
app.kubernetes.io/instance: traceableai
allowPrivilegedContainer: false
allowPrivilegeEscalation: false
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
readOnlyRootFilesystem: false
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
fsGroup:
type: RunAsAny
groups:
- system:nodes
supplementalGroups:
type: RunAsAny
users:
- system:serviceaccount:traceableai:traceable-agent-ebpf-service-account
volumes:
- configMap
- secret
- emptyDir
- hostPath
- projected
allowedCapabilities:
- IPC_LOCK
- SYS_ADMIN
- SYS_CHROOT
- SYS_RESOURCE
- SYS_PTRACE
- SETFCAP
requiredDropCapabilities:
- DAC_READ_SEARCH
- LINUX_IMMUTABLE
- NET_BROADCAST
- NET_ADMIN
- NET_RAW
- IPC_OWNER
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_BOOT
- SYS_NICE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- LEASE
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- SYSLOG
- WAKE_ALARM
- BLOCK_SUSPEND
- AUDIT_READ
- PERFMON
- BPF
If you have configured ebpf_run_as_privileged=true
in the Terraform variables while deploying the Traceable Platform agent, then configure the following two variables also in the YAML file:
allowPrivilegedContainer: true
allowPrivilegeEscalation: true
Caution
Setting allowPrivilegedContainer
and allowPrivilegeEscalation
to true
gives a pod higher privileges and allows it to perform operations that are otherwise restricted. For more information, see About Security Context Constraints.
Enter the following command to apply the manifest:
kubectl apply -f traceable-agent-scc.yaml