woose/90DaysOfDevOps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

day59 formatting changes

Browse Source
This commit is contained in:
Dean Lewis 2023-03-29 17:59:40 +01:00
parent 6fb3c32d44
commit 51d030cf6e
No known key found for this signature in database
GPG Key ID: FB8A62795F0ADC69
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
2023/day59.md
View File

@ -78,7 +78,7 @@ You can learn more about Linux capabilities [here](https://linuxera.org/containe
You can [specify additional capabilities for your pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container) as per the below example. You can [specify additional capabilities for your pod](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container) as per the below example.
```` ````yaml
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
@ -118,7 +118,7 @@ The restricted-v2 SCC:
You can get this SCC configuration by running ```oc get scc restricted-v2 -o yaml``` You can get this SCC configuration by running ```oc get scc restricted-v2 -o yaml```
```` ````yaml
allowHostDirVolumePlugin: false allowHostDirVolumePlugin: false
allowHostIPC: false allowHostIPC: false
allowHostNetwork: false allowHostNetwork: false
@ -198,7 +198,7 @@ The privileged SCC allows:
You can get this SCC configuration by running ```oc get scc privileged -o yaml``` You can get this SCC configuration by running ```oc get scc privileged -o yaml```
```` ````yaml
allowHostDirVolumePlugin: true allowHostDirVolumePlugin: true
allowHostIPC: true allowHostIPC: true
allowHostNetwork: true allowHostNetwork: true
@ -274,7 +274,7 @@ First, I need to create the namespace to place the components in, ```oc create n
Now I apply the below YAML file ```oc apply -f mongo-test.yaml``` Now I apply the below YAML file ```oc apply -f mongo-test.yaml```
```` ````yaml
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@ -404,7 +404,7 @@ replicaset.apps/mongo-56cc764fb 1 0 0 3m9s
The provided Kubernetes application includes an initContainer with the following security context: The provided Kubernetes application includes an initContainer with the following security context:
```` ````yaml
securityContext: securityContext:
runAsUser: 0 runAsUser: 0
```` ````
@ -417,7 +417,7 @@ To resolve this issue, we need to modify the deployment configuration to comply
1. Create a new custom SCC, and save the below YAML in a file called mongo-custom-scc.yaml: 1. Create a new custom SCC, and save the below YAML in a file called mongo-custom-scc.yaml:
```` ````yaml
apiVersion: security.openshift.io/v1 apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints kind: SecurityContextConstraints
metadata: metadata:
@ -439,13 +439,13 @@ supplementalGroups:
2. Apply the custom SCC to your OpenShift cluster: 2. Apply the custom SCC to your OpenShift cluster:
```` ````sh
oc apply -f mongo-custom-scc.yaml oc apply -f mongo-custom-scc.yaml
```` ````
3. Grant the mongo-custom-scc SCC to the service account that the MongoDB deployment is using: 3. Grant the mongo-custom-scc SCC to the service account that the MongoDB deployment is using:
```` ````sh
oc adm policy add-scc-to-user mongo-custom-scc system:serviceaccount:<namespace>:default oc adm policy add-scc-to-user mongo-custom-scc system:serviceaccount:<namespace>:default
# In my environment, I run: # In my environment, I run:
@ -473,7 +473,7 @@ If they do need some sort of privilege, then defining tight RBAC and SCC control
In this post, we discussed how the default security context constraints in OpenShift can prevent deployments from running as expected. We provided a solution to the specific issue of running an initContainer as root for a MongoDB application. Understanding and managing SCCs in OpenShift is essential for maintaining secure and compliant applications within your cluster. In this post, we discussed how the default security context constraints in OpenShift can prevent deployments from running as expected. We provided a solution to the specific issue of running an initContainer as root for a MongoDB application. Understanding and managing SCCs in OpenShift is essential for maintaining secure and compliant applications within your cluster.
On [Day 60](/day60.md)](/day60.md), we will look at RBAC in a cluster in more detail, such as the accounts used to access a cluster, the service accounts used by container, and how you tie it all together to areas such as consuming SCC and other features of Red Hat OpenShift. On [Day 60](/day60.md)](/day60.md), we will look at OpenShift Projects and RBAC in a cluster in more detail, such as the accounts used to access a cluster, the service accounts used by container, and how you tie it all together to areas such as consuming SCC via the project level, and other features of Red Hat OpenShift.
## Resources ## Resources