--- title: "eBPF on OpenShift" slug: "ebpf-scc-openshift" updated: 2024-04-11T13:43:04Z published: 2024-04-11T13:43:04Z --- > ## Documentation Index > Fetch the complete documentation index at: https://traceabledocs.document360.io/llms.txt > Use this file to discover all available pages before exploring further. # eBPF with SCC on OpenShift Red Hat's OpenShift is a cloud development Platform as a Service (Paas) Kubernetes platform that helps developers to build applications. It offers automated installation, upgrades, and life cycle management throughout the container stack, that is, the operating system, Kubernetes, and cluster services, and application. The topic provides Helm and Terraform values for Traceable's eBPF agent with OpenShift's Security context constraints (SCC). SCC allows administrators to control permissions for pods. For more information on Security Context Constraint, see [Managing Security Context Constraints](https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html). Before you proceed to configure Helm or Terraform values for SCC in OpenShift environment, make sure that Traceable's eBPF agent is already installed. For more information on deployment, see [eBPF](/docs/ebpf). The following table provides Helm and Terraform values for SCC on OpenShift. | Helm value | Terraform variable | Type | Default value | Description | | --- | --- | --- | --- | --- | | `ebpfSELinuxOptionsEnabled` | `ebpf_se_linux_options_enabled` | `bool` | `false` | This enables `SELinuxOptions` in eBPF container security context. | | `ebpfSELinuxOptionsRole` | `ebpf_se_linux_options_role` | `string` | "`system_r`" | Sets `SELinuxOptions` role. | | `ebpfSELinuxOptionsType` | `ebpf_se_linux_options_type` | `string` | "`spc_t`" | Sets `SELinuxOptions` type. | | `ebpfSELinuxOptionsUser` | `ebpf_se_linux_options_user` | `string` | "`system_u`" | Sets `SELinuxOptions` user. | | `ebpfOpenshiftSCC` | - | `bool` | `false` | Creates Traceable security context constraint (recommended for OpenShift deployments). | #### Create Traceable security context constraint (SCC) for Terraform deployments As mentioned in the table above, there is no option to create Traceable security context constraint if you are using Terraform for deploying eBPF solution in an OpenShift environment. In such a case, use the following `yaml` file to create the security context constraint. ```actionscript # Source: traceable-agent-scc.yaml kind: SecurityContextConstraints apiVersion: security.openshift.io/v1 metadata:  name: traceable-agent-scc  namespace: traceableai  labels:    app.kubernetes.io/name: traceable-agent    app.kubernetes.io/instance: traceableai allowPrivilegedContainer: false allowPrivilegeEscalation: false allowHostDirVolumePlugin: true allowHostIPC: true allowHostNetwork: true allowHostPID: true allowHostPorts: true readOnlyRootFilesystem: false runAsUser:  type: RunAsAny seLinuxContext:  type: RunAsAny fsGroup:  type: RunAsAny groups:  - system:nodes supplementalGroups:  type: RunAsAny users:  - system:serviceaccount:traceableai:traceable-agent-ebpf-service-account  volumes:  - configMap  - secret  - emptyDir  - hostPath  - projected allowedCapabilities:  - IPC_LOCK  - SYS_ADMIN  - SYS_CHROOT  - SYS_RESOURCE  - SYS_PTRACE  - SETFCAP requiredDropCapabilities:  - DAC_READ_SEARCH  - LINUX_IMMUTABLE  - NET_BROADCAST  - NET_ADMIN  - NET_RAW  - IPC_OWNER  - SYS_MODULE  - SYS_RAWIO  - SYS_PACCT  - SYS_BOOT  - SYS_NICE  - SYS_TIME  - SYS_TTY_CONFIG  - MKNOD  - LEASE  - AUDIT_WRITE  - AUDIT_CONTROL  - MAC_OVERRIDE  - MAC_ADMIN  - SYSLOG  - WAKE_ALARM  - BLOCK_SUSPEND  - AUDIT_READ  - PERFMON  - BPF ``` If you have configured `ebpf_run_as_privileged=true` in the Terraform variables while deploying the Traceable Platform agent, then configure the following two variables also in the YAML file: - `allowPrivilegedContainer: true ` - `allowPrivilegeEscalation: true` Caution Setting `allowPrivilegedContainer` and `allowPrivilegeEscalation `to `true` gives a pod higher privileges and allows it to perform operations that are otherwise restricted. For more information, see [About Security Context Constraints](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth). Enter the following command to apply the manifest: ```actionscript kubectl apply -f traceable-agent-scc.yaml ``` ## Related - [eBPF](/ebpf.md) - [eBPF and custom selectors](/ebpf-custom-selectors.md)