K8s: privileged mode #1410
K8s: privileged mode #1410
Conversation
kaitlynmichael
requested review from
a team,
heinrich-redislabs,
shreyaverma-git and
yuvallevy2
|
|
||
| [Security settings for Kubernetes pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) are configured in the [`SecurityContext`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core). The `allowPrivilegeEscalation` field controls if a container can gain more privileges than its parent process. | ||
|
|
||
| If `allowPrivilegeEscalation` is set to `true` the container can have additional [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) (such as `SYS_RESOURCE`) and is considered to be running in **privileged mode**. |
There was a problem hiding this comment.
I think it's important to clarify that the Redis Enterprise Node container will have exactly one additional capability (SYS_RESOURCE), if we allow automatic resource limits adjustment, and no additional capabilities otherwise. While it may change in the future, in 7.22 only this capability will be added, while the rest of them are dropped.
Capabilities are a sensitive thing and I think admins will want to know exactly which capabilities the container will be granted.
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
| ## Security context constraints | ||
|
|
||
| The Redis Enterprise pods must run in OpenShift with privileges set in a [Security Context Constraint](https://docs.openshift.com/container-platform/4.4/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth). This grants the pod various rights, such as the ability to change system limits or run as a particular user. | ||
| Upgrades to versions 7.22.0-6 and later run in **unprivileged mode** without any additional permissions or capabilities. If you don't specifally require additional capabilities, we recommend you maintain the default unprivileged mode, as its more secure. After upgrading, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account. |
There was a problem hiding this comment.
This could be a bit misleading. Users do not require additional capabilities. Instead, there are certain features which could be turned on by users, that affect the security context of the Redis Enterprise Node container.
I think it's better to say something along the lines of:
"Unless specific features requiring additional capabilities are enabled, the Redis Enterprise cluster is running in unprivileged mode, that does not need the redis-enterprise-scc-v2.
You can also point-out that currently the only feature requiring SYS_RESOURCE and privilege escalation is automatic resource limit adjustment.
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
| ## Enable privileged mode | ||
| To allow the Redis Enterprise container additional capabilities, you can enable **privileged mode**. Note that changing the following value on a running cluster will trigger a rolling update. |
There was a problem hiding this comment.
I think this could be rephrased to reflect that fact that enabling certain features, like automatic resource limits adjustment, will result in running the redis-enterprise-node container in privileged mode (with SYS_RESOURCE and allowing privilege escalation).
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
| ## Security context constraints | ||
|
|
||
| The Redis Enterprise pods must run in OpenShift with privileges set in a [Security Context Constraint](https://docs.openshift.com/container-platform/4.4/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth). This grants the pod various rights, such as the ability to change system limits or run as a particular user. | ||
| Upgrades to versions 7.22.0-6 and later run in **unprivileged mode** without any additional permissions or capabilities. If you don't specifally require additional capabilities, we recommend you maintain the default unprivileged mode, as its more secure. After upgrading, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account. |
There was a problem hiding this comment.
I would say something like:
"Upgrades to versions 7.22.0-6 and later run in unprivileged mode without any additional permissions or capabilities, unless specific features requiring additional capabilities are turned on."
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
kaitlynmichael
left a comment
kaitlynmichael
left a comment
There was a problem hiding this comment.
inaccuracy changes
kaitlynmichael
left a comment
kaitlynmichael
left a comment
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
| ## Security context constraints | ||
|
|
||
| The Redis Enterprise pods must run in OpenShift with privileges set in a [Security Context Constraint](https://docs.openshift.com/container-platform/4.4/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth). This grants the pod various rights, such as the ability to change system limits or run as a particular user. | ||
| Upgrades to versions 7.22.0-6 and later run in **unprivileged mode** without any additional permissions or capabilities. If you don't specifally require additional capabilities, we recommend you maintain the default unprivileged mode, as its more secure. After upgrading, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account. |
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
| ## Security context constraints | ||
|
|
||
| The Redis Enterprise pods must run in OpenShift with privileges set in a [Security Context Constraint](https://docs.openshift.com/container-platform/4.4/authentication/managing-security-context-constraints.html#security-context-constraints-about_configuring-internal-oauth). This grants the pod various rights, such as the ability to change system limits or run as a particular user. | ||
| Upgrades to versions 7.22.0-6 and later run in **unprivileged mode** without any additional permissions or capabilities. If you don't specifally require additional capabilities, we recommend you maintain the default unprivileged mode, as its more secure. After upgrading, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account. |
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
|
|
||
| [Security settings for Kubernetes pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) are configured in the [`SecurityContext`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core). The `allowPrivilegeEscalation` field controls if a container can gain more privileges than its parent process. | ||
|
|
||
| If `allowPrivilegeEscalation` is set to `true` the container can have additional [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) (such as `SYS_RESOURCE`) and is considered to be running in **privileged mode**. |
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
| ## Enable privileged mode | ||
| To allow the Redis Enterprise container additional capabilities, you can enable **privileged mode**. Note that changing the following value on a running cluster will trigger a rolling update. |
There was a problem hiding this comment.
This will be part of the DOC-5104 revision.
* 7.8.6 version_archiver * add version frontmatter helper * inject frontmatter url * update archive links * remove aliases from api frontmatter patch * add version banner * k8s api docs 7.22.0-6 (#1409) * k8s api docs 7.22.0-6 * remove alertSettings from REAADB --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Kaitlyn Michael <[email protected]> * Update content/operate/kubernetes/7.8.6/_index.md Co-authored-by: andy-stark-redis <[email protected]> * Update content/operate/kubernetes/7.8.6/active-active/_index.md Co-authored-by: andy-stark-redis <[email protected]> * Update content/operate/kubernetes/7.8.6/active-active/create-aa-crdb-cli.md Co-authored-by: andy-stark-redis <[email protected]> * Update content/operate/kubernetes/7.8.6/upgrade/openshift-cli.md Co-authored-by: andy-stark-redis <[email protected]> * Update content/operate/kubernetes/7.8.6/active-active/_index.md Co-authored-by: andy-stark-redis <[email protected]> * Update content/operate/kubernetes/7.8.6/upgrade/upgrade-olm.md Co-authored-by: andy-stark-redis <[email protected]> * Update content/operate/kubernetes/7.8.6/upgrade/upgrade-redis-cluster.md Co-authored-by: andy-stark-redis <[email protected]> * Update content/operate/kubernetes/7.8.6/active-active/global-config.md Co-authored-by: andy-stark-redis <[email protected]> * update docs-nav * fix version banners * remove frontmatter script * fix banners * K8s: privileged mode (#1410) * enable privileged mode * copy edits * change SCC steps in install and upgrade * clean up old files * openshift upgrade remove scc * Apply suggestions from code review * K8s: X-Wing release notes (#1411) * typo * initial draft * RN edits * release notes * relref * copy edits * link to API reference * vanilla k8s * openshift * EKS * aks * gke * rancher * tkg * tkgi * spacing issue * update version numbers * call home client --------- Co-authored-by: redisdocsapp[bot] <177626021+redisdocsapp[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: andy-stark-redis <[email protected]>
DOC-5051
This feature is part of the X-wing release