Merge pull request #59180 from ousleyp/cnv-21610

ousleyp · web-flow · commit 3aca0fe3525f · 2023-05-09T18:29:34.000-04:00
CNV-21610: 4.13 updates re: security/privileges
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -3595,7 +3595,7 @@ Topics:
   File: upgrading-virt
   Distros: openshift-origin
 - Name: Security policies
-  File: virt-additional-security-privileges-controller-and-launcher
+  File: virt-security-policies
 - Name: Using the CLI tools
   File: virt-using-the-cli-tools
 - Name: Virtual machines
diff --git a/modules/virt-about-workload-security.adoc b/modules/virt-about-workload-security.adoc
@@ -1,13 +1,11 @@
 // Module included in the following assemblies:
 //
-// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
+// * virt/virt-security-policies.adoc
 
 :_content-type: CONCEPT
 [id="virt-about-workload-security_{context}"]
 = About workload security
 
-By default, virtual machine (VM) workloads do not run with root privileges in {VirtProductName}.
+By default, virtual machine (VM) workloads do not run with root privileges in {VirtProductName}, and there are no supported {VirtProductName} features that require root privileges.
 
-For each VM, a `virt-launcher` pod runs an instance of `libvirt` in _session mode_ to manage the VM process. In session mode, the `libvirt` daemon runs as a non-root user account and only permits connections from clients that are running under the same user identifier (UID). Therefore, VMs run as unprivileged pods, adhering to the security principle of least privilege.
-
-There are no supported {VirtProductName} features that require root privileges. If a feature requires root, it might not be supported for use with {VirtProductName}.
+For each VM, a `virt-launcher` pod runs an instance of `libvirt` in _session mode_ to manage the VM process. In session mode, the `libvirt` daemon runs as a non-root user account and only permits connections from clients that are running under the same user identifier (UID). Therefore, VMs run as unprivileged pods, adhering to the security principle of least privilege.
diff --git a/modules/virt-additional-scc-for-kubevirt-controller.adoc b/modules/virt-additional-scc-for-kubevirt-controller.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
+// * virt/virt-security-policies.adoc
 
 :_content-type: REFERENCE
 [id="virt-additional-scc-for-kubevirt-controller_{context}"]
@@ -20,11 +20,10 @@ This allows virtual machines to use the hostpath volume plugin.
 * `scc.AllowPrivilegedContainer = false` +
 This ensures the virt-launcher pod is not run as a privileged container.
 
-* `scc.AllowedCapabilities = []corev1.Capability{"SYS_NICE", "NET_BIND_SERVICE", "SYS_PTRACE"}` +
+* `scc.AllowedCapabilities = []corev1.Capability{"SYS_NICE", "NET_BIND_SERVICE"}` +
 
 ** `SYS_NICE` allows setting the CPU affinity.
 ** `NET_BIND_SERVICE` allows DHCP and Slirp operations.
-** `SYS_PTRACE` enables certain versions of `libvirt` to find the process ID (PID) of `swtpm`, a software Trusted Platform Module (TPM) emulator.
 
 == Viewing the SCC and RBAC definitions for the kubevirt-controller
 
diff --git a/modules/virt-extended-selinux-policies-for-virt-launcher.adoc b/modules/virt-extended-selinux-policies-for-virt-launcher.adoc
diff --git a/virt/virt-additional-security-privileges-controller-and-launcher.adoc b/virt/virt-additional-security-privileges-controller-and-launcher.adoc
diff --git a/virt/virt-security-policies.adoc b/virt/virt-security-policies.adoc
@@ -0,0 +1,26 @@
+:_content-type: ASSEMBLY
+[id="virt-security-policies"]
+= Security policies
+include::_attributes/common-attributes.adoc[]
+:context: virt-security-policies
+
+toc::[]
+
+Learn about {VirtProductName} security and authorization.
+
+.Key points
+* {VirtProductName} adheres to the `restricted` link:https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted[Kubernetes pod security standards] profile, which aims to enforce the current best practices for pod security.
+
+* Virtual machine (VM) workloads run as unprivileged pods. 
+
+* xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Security context constraints] (SCCs) are defined for the `kubevirt-controller` service account.
+
+include::modules/virt-about-workload-security.adoc[leveloffset=+1]
+
+include::modules/virt-additional-scc-for-kubevirt-controller.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+* xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Managing security context constraints]
+* xref:../authentication/using-rbac.adoc#using-rbac[Using RBAC to define and apply permissions]
