Adding the Security Profiles Operator to OpenShift

Author: sheriff-rh

_topic_maps/_topic_map.yml

@@ -899,6 +899,27 @@ Topics:
     File: file-integrity-operator-advanced-usage
   - Name: Troubleshooting the File Integrity Operator
     File: file-integrity-operator-troubleshooting
+- Name: Security Profiles Operator
+  Dir: security_profiles_operator
+  Topics:
+  - Name: Security Profiles Operator overview
+    File: spo-overview
+  - Name: Security Profiles Operator release notes
+    File: spo-release-notes
+  - Name: Understanding the Security Profiles Operator
+    File: spo-understanding
+  - Name: Enabling the Security Profiles Operator
+    File: spo-enabling
+  - Name: Managing seccomp profiles
+    File: spo-seccomp
+  - Name: Managing SELinux profiles
+    File: spo-selinux
+  - Name: Advanced Security Profiles Operator tasks
+    File: spo-advanced
+  - Name: Troubleshooting the Security Profiles Operator
+    File: spo-troubleshooting
+  - Name: Uninstalling the Security Profiles Operator
+    File: spo-uninstalling
 - Name: cert-manager Operator for Red Hat OpenShift
   Dir: cert_manager_operator
   Distros: openshift-enterprise

modules/spo-about.adoc

@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * security/security_profiles_operator/spo-understanding.adoc
+
+:_content-type: CONCEPT
+[id="spo-about_{context}"]
+= About Security Profiles
+
+Security profiles can increase security at the container level in your cluster.
+
+Seccomp security profiles list the syscalls a process can make. Permissions are broader than SELinux, enabling users to restrict operations system-wide, such as `write`.
+
+SELinux security profiles provide a label-based system that restricts the access and usage of processes, applications, or files in a system. All files in an environment have labels that define permissions. SELinux profiles can define access within a given structure, such as directories.

modules/spo-applying-profiles.adoc

@@ -0,0 +1,184 @@
+// Module included in the following assemblies:
+//
+// * security/security_profiles_operator/spo-seccomp.adoc
+// * security/security_profiles_operator/spo-selinux.adoc
+
+ifeval::["{context}" == "spo-seccomp"]
+:seccomp:
+:type: seccomp
+:kind: SeccompProfile
+endif::[]
+ifeval::["{context}" == "spo-selinux"]
+:selinux:
+:type: SELinux
+:kind: SelinuxProfile
+endif::[]
+
+:_content-type: PROCEDURE
+[id="spo-applying-profiles_{context}"]
+= Applying {type} profiles to a pod
+
+Create a pod to apply one of the created profiles.
+
+ifdef::selinux[]
+For {type} profiles, the namespace must be labelled to allow link:https://kubernetes.io/docs/concepts/security/pod-security-standards/[privileged] workloads.
+
+endif::[]
+.Procedure
+
+ifdef::seccomp[]
+. Create a pod object that defines a `securityContext`:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-pod
+spec:
+  securityContext:
+    seccompProfile:
+      type: Localhost
+      localhostProfile: operator/my-namespace/profile1.json
+  containers:
+    - name: test-container
+      image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
+----
+
+. View the profile path of the `seccompProfile.localhostProfile` attribute by running the following command:
++
+[source,terminal]
+----
+$ oc -n my-namespace get seccompprofile profile1 --output wide
+----
++
+.Example output
+[source,terminal]
+----
+NAME       STATUS   AGE   SECCOMPPROFILE.LOCALHOSTPROFILE
+profile1   Active   14s   operator/my-namespace/profile1.json
+----
+
+. View the path to the localhost profile by running the following command:
++
+[source,terminal]
+----
+$ oc get sp profile1 --output=jsonpath='{.status.localhostProfile}'
+----
++
+.Example output
+[source,terminal]
+----
+operator/my-namespace/profile1.json
+----
+
+. Apply the `localhostProfile` output to the patch file:
++
+[source,yaml]
+----
+spec:
+  template:
+    spec:
+      securityContext:
+        seccompProfile:
+          type: Localhost
+          localhostProfile: operator/my-namespace/profile1.json
+----
+
+. Apply the profile to a `Deployment` object by running the following command:
++
+[source,terminal]
+----
+$ oc -n my-namespace patch deployment myapp --patch-file patch.yaml --type=merge
+----
++
+.Example output
+[source,terminal]
+----
+deployment.apps/myapp patched
+----
+
+.Verification
+
+* Confirm the profile was applied correctly by running the following command:
++
+[source,terminal]
+----
+$ oc -n my-namespace get deployment myapp --output=jsonpath='{.spec.template.spec.securityContext}' | jq .
+----
++
+.Example output
+[source,json]
+----
+{
+  "seccompProfile": {
+    "localhostProfile": "operator/my-namespace/profile1.json",
+    "type": "localhost"
+  }
+}
+----
+endif::[]
+ifdef::selinux[]
+
+. Apply the `scc.podSecurityLabelSync=false` label to the `nginx-deploy` namespace by running the following command:
++
+[source,terminal]
+----
+$ oc label ns nginx-deploy security.openshift.io/scc.podSecurityLabelSync=false
+----
+
+. Apply the `privileged` label to the `nginx-deploy` namespace by running the following command:
++
+[source,terminal]
+----
+$ oc label ns nginx-deploy --overwrite=true pod-security.kubernetes.io/enforce=privileged
+----
+
+. Obtain the SELinux profile usage string by running the following command:
++
+[source,terminal]
+----
+$ oc get selinuxprofile.security-profiles-operator.x-k8s.io/nginx-secure -n nginx-deploy -ojsonpath='{.status.usage}'
+----
++
+.Example output
+[source,terminal]
+----
+nginx-secure_nginx-deploy.process%
+----
+
+. Apply the output string in the workload manifest in the `.spec.containers[].securityContext.seLinuxOptions` attribute:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx-secure
+  namespace: nginx-deploy
+spec:
+  containers:
+    - image: nginxinc/nginx-unprivileged:1.21
+      name: nginx
+      securityContext:
+        seLinuxOptions:
+          # NOTE: This uses an appropriate SELinux type
+          type: nginx-secure_nginx-deploy.process
+----
++
+[IMPORTANT]
+====
+The SELinux `type` must exist before creating the workload.
+====
+endif::[]
+
+ifeval::["{context}" == "spo-seccomp"]
+:!seccomp:
+:!type:
+:!kind:
+endif::[]
+ifeval::["{context}" == "spo-selinux"]
+:!selinux:
+:!type:
+:!kind:
+endif::[]

modules/spo-base-syscalls.adoc

@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * security/security_profiles_operator/spo-advanced.adoc
+
+:_content-type: PROCEDURE
+[id="spo-base-syscalls_{context}"]
+= Base syscalls for a container runtime
+
+You can use the `baseProfileName` attribute to establish the minimum required `syscalls` for a given runtime to start a container.
+
+.Procedure
+
+* Edit the `SeccompProfile` kind object and add `baseProfileName: runc-v1.0.0` to the `spec` field:
++
+[source,yaml]
+----
+apiVersion: security-profiles-operator.x-k8s.io/v1beta1
+kind: SeccompProfile
+metadata:
+  namespace: my-namespace
+  name: example-name
+spec:
+  defaultAction: SCMP_ACT_ERRNO
+  baseProfileName: runc-v1.0.0
+  syscalls:
+    - action: SCMP_ACT_ALLOW
+      names:
+        - exit_group
+----

modules/spo-binding-workloads.adoc

@@ -0,0 +1,98 @@
+// Module included in the following assemblies:
+//
+// * security/security_profiles_operator/spo-seccomp.adoc
+// * security/security_profiles_operator/spo-selinux.adoc
+
+ifeval::["{context}" == "spo-seccomp"]
+:seccomp:
+:type: seccomp
+:kind: SeccompProfile
+endif::[]
+ifeval::["{context}" == "spo-selinux"]
+:selinux:
+:type: SELinux
+:kind: SelinuxProfile
+endif::[]
+
+:_content-type: PROCEDURE
+[id="spo-binding-workloads_{context}"]
+= Binding workloads to profiles with ProfileBindings
+
+You can use the `ProfileBinding` resource to bind a security profile to the `SecurityContext` of a container.
+
+.Procedure
+
+. To bind a pod that uses a `quay.io/security-profiles-operator/test-nginx-unprivileged:1.21` image to the example `{kind}` profile, create a `ProfileBinding` object in the same namespace with the pod and the `{kind}` objects:
++
+[source,yaml,subs="attributes+"]
+----
+apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
+kind: ProfileBinding
+metadata:
+  namespace: my-namespace
+  name: nginx-binding
+spec:
+  profileRef:
+    kind: {kind} <1>
+    name: profile <2>
+  image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
+----
+<1> The `kind:` variable refers to the name of the profile.
+<2> The `name:` variable refers to the name of the profile.
+
+. Label the namespace with `enable-binding=true` by running the following command:
++
+[source,terminal]
+----
+$ oc label ns my-namespace spo.x-k8s.io/enable-binding=true
+----
+
+. Delete and re-create the pod to use the `ProfileBinding` object:
++
+[source,terminal,subs="attributes+"]
+----
+$ oc delete pods test-pod && oc create -f pod01.yaml
+----
+
+.Verification
+
+ifdef::seccomp[]
+* Confirm the pod inherits the `ProfileBinding` by running the following command:
++
+[source,terminal]
+----
+$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seccompProfile}'
+----
++
+.Example output
+[source,terminal]
+----
+{"localhostProfile":"operator/my-namespace/profile.json","type":"Localhost"}
+----
+endif::[]
+ifdef::selinux[]
+* Confirm the pod inherits the `ProfileBinding` by running the following command:
++
+[source,terminal]
+----
+$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seLinuxOptions.type}'
+----
++
+.Example output
+[source,terminal]
+----
+profile_nginx-binding.process
+----
+endif::[]
+
+
+ifeval::["{context}" == "spo-seccomp"]
+:!seccomp:
+:!type:
+:!kind:
+endif::[]
+ifeval::["{context}" == "spo-selinux"]
+:!selinux:
+:!type:
+:!kind:
+endif::[]