eBPF with SCC on OpenShift
  • 23 Jan 2023
  • 1 Minute to read
  • PDF

eBPF with SCC on OpenShift

  • PDF

Article Summary

Red Hat's OpenShift is a cloud development Platform as a Service (Paas) Kubernetes platform that helps developers to build applications. It offers automated installation, upgrades, and life cycle management throughout the container stack, that is, the operating system, Kubernetes, and cluster services, and application. The topic provides Helm and Terraform values for Traceable's eBPF agent with OpenShift's Security context constraints (SCC). SCC allows administrators to control permissions for pods. For more information on Security Context Constraint, see Managing Security Context Constraints.

Before you proceed to configure Helm or Terraform values for SCC in OpenShift environment, make sure that Traceable's eBPF agent is already installed. For more information on deployment, see eBPF.

The following table provides Helm and Terraform values for SCC on OpenShift. 

Helm value

Terraform variable

Type

Default value

Description

ebpfSELinuxOptionsEnabled

ebpf_se_linux_options_enabled

bool

false

This enables SELinuxOptions in eBPF container security context.

ebpfSELinuxOptionsRole

ebpf_se_linux_options_role

string

"system_r"

Sets SELinuxOptions role.

ebpfSELinuxOptionsType

ebpf_se_linux_options_type

string

"spc_t"

Sets SELinuxOptions type.

ebpfSELinuxOptionsUser

ebpf_se_linux_options_user

string

"system_u"

Sets SELinuxOptions user.

ebpfOpenshiftSCC

-

bool

false

Creates Traceable security context constraint (recommended for OpenShift deployments).

Create Traceable security context constraint (SCC) for Terraform deployments

As mentioned in the table above, there is no option to create Traceable security context constraint if you are using Terraform for deploying eBPF solution in an OpenShift environment. In such a case, use the following yaml file to create the security context constraint.

# Source: traceable-agent-scc.yaml
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: traceable-agent-scc
  namespace: traceableai
  labels:
    app.kubernetes.io/name: traceable-agent
    app.kubernetes.io/instance: traceableai
allowPrivilegedContainer: false
allowPrivilegeEscalation: false
allowHostDirVolumePlugin: true
allowHostIPC: true
allowHostNetwork: true
allowHostPID: true
allowHostPorts: true
readOnlyRootFilesystem: false
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
groups:
  - system:nodes
supplementalGroups:
  type: RunAsAny
users:
  - system:serviceaccount:traceableai:traceable-agent-service-account
volumes:
  - configMap
  - secret
  - emptyDir
  - hostPath
  - projected
allowedCapabilities:
  - IPC_LOCK
  - SYS_ADMIN
  - SYS_CHROOT
  - SYS_RESOURCE
  - SYS_PTRACE
  - SETFCAP
requiredDropCapabilities:
  - DAC_READ_SEARCH
  - LINUX_IMMUTABLE
  - NET_BROADCAST
  - NET_ADMIN
  - NET_RAW
  - IPC_OWNER
  - SYS_MODULE
  - SYS_RAWIO
  - SYS_PACCT
  - SYS_BOOT
  - SYS_NICE
  - SYS_TIME
  - SYS_TTY_CONFIG
  - MKNOD
  - LEASE
  - AUDIT_WRITE
  - AUDIT_CONTROL
  - MAC_OVERRIDE
  - MAC_ADMIN
  - SYSLOG
  - WAKE_ALARM
  - BLOCK_SUSPEND
  - AUDIT_READ
  - PERFMON
  - BPF

If you have configured ebpf_run_as_privileged=true in the Terraform variables while deploying the Traceable Platform agent, then configure the following two variables also in the YAML file:

  • allowPrivilegedContainer: true 
  • allowPrivilegeEscalation: true

Caution
Setting allowPrivilegedContainer and allowPrivilegeEscalation to true gives higher privileges to a pod and allows it to perform operations that are otherwise restricted. For more information, see About Security Context Constraints.


Enter the following command to apply the manifest:

kubectl apply -f traceable-agent-scc.yaml

Was this article helpful?