enable privileged mode

Author: kaitlynmichael

content/operate/kubernetes/security/enable-privileged-mode.md

@@ -0,0 +1,116 @@
+---
+categories:
+- docs
+- operate
+- kubernetes
+description: Enable adding additional capabilities to the security context for the Redis Enterprise container by editing the `allowPrivilegeEscalation` field in the REC.
+linkTitle: Enable privileged mode
+title: Enable privileged mode
+weight: 98
+---
+
+[Security settings for Kubernetes pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) are configured in the [`SecurityContext`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core). The `allowPrivilegeEscalation` field controls if a container can gain more privileges than its parent process.
+
+If `allowPrivilegeEscalation` is set to `true` the container can have additional [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) (such as `SYS_RESOURCE`) and is considered to be running in **privileged mode**.
+
+Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run in **unprivileged mode**, where all capabilities are dropped from the Redis Enterprise container and `allowPrivilegeEscalation` is set to `false`. All other security-related settings remain the same as in privileged mode. Unprivileged mode is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.
+
+## Default behavior
+
+**Unprivileged mode** is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has `allowAutoAdjustment` set to `false` or removed.
+
+The REC security context will look like this in unprivileged mode:
+
+```yaml
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: false
+```
+
+## Enable privileged mode
+
+To allow the Redis Enterprise container additional capabilities, you can enable **privileged mode**. Note that changing the following value on a running cluster will trigger a rolling update.
+
+To enable **privileged mode**, set `allowAutoAdjustment` to `true`.
+
+```yaml
+spec:
+  securityContext:
+    resourceLimits:
+      allowAutoAdjustment: true
+```
+
+In privileged mode, the security context should look like this:
+
+```yaml
+securityContext:
+  allowPrivilegeEscalation: true
+  capabilities:
+    add:
+    - SYS_RESOURCE
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: false
+```
+
+OpenShift users upgrading to 7.22.0-6 need to make changes to your existing SCC (security context constraint).
+
+## OpenShift Upgrades
+
+If running in **unprivileged mode**, remove the custom `redis-enterprise-scc-v2` and disconnect it from the REC service account after completing your upgrade.
+
+If running in **privileged mode**, manually reapply the [security context constraints (SCC)](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html) file ([`scc.yaml`]({{< relref "/operate/kubernetes/deployment/openshift/openshift-cli#deploy-the-operator" >}})) and bind it to your service account. 
+
+```sh
+oc apply -f openshift/scc.yaml
+```
+
+```sh
+oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
+  system:serviceaccount:<my-project>:<rec-name>
+```
+
+## New OpenShift installations
+
+New installations of Redis Enterprise for Kubernetes 7.22.0-6 and later automatically run in **unprivileged mode**, using a built-in `nonroot-v2-SCC` which is less permissive and more secure.
+
+To enable **privileged mode** after installation, apply and grant permissions to the `redis-enterprise-scc-v2` SCC.
+
+1. Apply the file `scc.yaml` file.
+
+   {{<warning>}}
+Do not edit this file.
+    {{</warning>}}
+
+    ```sh
+    oc apply -f openshift/scc.yaml
+    ```
+
+    You should receive the following response:
+
+    ```sh
+    securitycontextconstraints.security.openshift.io "redis-enterprise-scc-v2" configured
+    ```
+
+1. Provide the operator permissions for the pods.
+
+    ```sh
+    oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
+      system:serviceaccount:<my-project>:<rec>
+    ```
+
+## SYS_RESOURCE
+
+The `SYS_RESOURCE` capability may be required if processes in the container need to raise resource limits, such as the maximum number of open file descriptors.
+
+Some Redis Enterprise processes require the ability to open at least 100,000 file descriptors. If the default limit is lower and the container lacks the `SYS_RESOURCE` capability, the process may fail repeatedly, rendering the cluster unusable. To use unprivileged mode, configure your Kubernetes worker nodes to ensure a default file descriptor limit of at least 100,000. 
+
+If you are already running a Redis Enterprise Cluster on Kubernetes, your worker nodes are likely configured correctly. In this case, it is safe to upgrade the operator and use unprivileged mode.
+
+Based on our testing, all major cloud providers configure Kubernetes worker nodes with file descriptor limits well above the required minimum. These setups are compatible with unprivileged mode. The only known exception is clusters created with [Kubespray](hhttps://kubespray.io/#/), which sets default file descriptor limits below the required 100,000. If you use Kubespray with default settings, you must run the operator in privileged mode.
+