Skip to content

Commit cdddf35

Browse files
ousleypousleyp
committed
CNV-16326: session mode
1 parent 849f34a commit cdddf35

5 files changed

+27
-13
lines changed

_topic_maps/_topic_map.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3210,7 +3210,7 @@ Topics:
32103210
- Name: Updating OKD Virtualization
32113211
File: upgrading-virt
32123212
Distros: openshift-origin
3213-
- Name: Additional security privileges granted for kubevirt-controller and virt-launcher
3213+
- Name: Security policies
32143214
File: virt-additional-security-privileges-controller-and-launcher
32153215
- Name: Using the CLI tools
32163216
File: virt-using-the-cli-tools

modules/virt-about-workload-security.adoc

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
4+
5+
:_content-type: CONCEPT
6+
[id="virt-about-workload-security_{context}"]
7+
= About workload security
8+
9+
By default, virtual machine (VM) workloads do not run with root privileges in {VirtProductName}.
10+
11+
For each VM, a `virt-launcher` pod runs an instance of `libvirt` in _session mode_ to manage the VM process. In session mode, the `libvirt` daemon runs as a non-root user account and only permits connections from clients that are running under the same user identifier (UID). Therefore, VMs run as unprivileged pods, adhering to the security principle of least privilege.
12+
13+
There are no supported {VirtProductName} features that require root privileges. If a feature requires root, it might not be supported for use with {VirtProductName}.

modules/virt-additional-scc-for-kubevirt-controller.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
//
33
// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
44

5+
:_content-type: REFERENCE
56
[id="virt-additional-scc-for-kubevirt-controller_{context}"]
67
= Additional {product-title} security context constraints and Linux capabilities for the kubevirt-controller service account
78

modules/virt-extended-selinux-policies-for-virt-launcher.adoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
//
33
// * virt/virt-additional-security-privileges-controller-and-launcher.adoc
44

5+
:_content-type: REFERENCE
56
[id="virt-extended-selinux-policies-for-virt-launcher_{context}"]
67
= Extended SELinux policies for virt-launcher pods
78

virt/virt-additional-security-privileges-controller-and-launcher.adoc

Lines changed: 11 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,26 @@
11
:_content-type: ASSEMBLY
22
[id="virt-additional-security-privileges-controller-and-launcher"]
3-
= Additional security privileges granted for kubevirt-controller and virt-launcher
3+
= Security policies
44
include::_attributes/common-attributes.adoc[]
55
:context: virt-additional-security-privileges-controller-and-launcher
66

77
toc::[]
88

9-
The `kubevirt-controller` and virt-launcher pods are granted some SELinux policies and Security Context Constraints privileges that are in addition to typical pod owners. These privileges enable virtual machines to use {VirtProductName} features.
9+
Virtual machine (VM) workloads run as unprivileged pods. So that VMs can use {VirtProductName} features, some pods are granted custom security policies that are not available to other pod owners:
10+
11+
* An extended `container_t` SELinux policy applies to `virt-launcher` pods.
12+
* xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Security context constraints] (SCCs) are defined for the `kubevirt-controller` service account.
13+
14+
include::modules/virt-about-workload-security.adoc[leveloffset=+1]
1015

1116
include::modules/virt-extended-selinux-policies-for-virt-launcher.adoc[leveloffset=+1]
1217

1318
include::modules/virt-additional-scc-for-kubevirt-controller.adoc[leveloffset=+1]
1419

1520
[role="_additional-resources"]
21+
[id="additional-resources_{context}"]
1622
== Additional resources
1723

18-
* The Red Hat Enterprise Linux Virtualization Tuning and Optimization Guide has more information on link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-networking-techniques#mult[network multi-queue]
19-
and
20-
link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-memory-tuning#sect-Virtualization_Tuning_Optimization_Guide-Memory-Huge_Pages[huge pages].
21-
22-
* The `capabilities` man page has more information on the Linux capabilities.
23-
24-
* The `sysfs(5)` man page has more information on sysfs.
25-
26-
* The {product-title} Authentication guide has more information on
27-
xref:../authentication/managing-security-context-constraints.adoc#security-context-constraints-about_configuring-internal-oauth[Security Context Constraints].
24+
// these are RHEL 7 links; unsure if there is an equivalent in later versions //
25+
* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-networking-techniques#sect-Virtualization_Tuning_Optimization_Guide-Networking-Multi-queue_virtio-net[Network multi-queue]
26+
* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/sect-virtualization_tuning_optimization_guide-memory-tuning#sect-Virtualization_Tuning_Optimization_Guide-Memory-Huge_Pages[Huge pages]

0 commit comments

Comments
 (0)