From 97f4fbab39cba470e19bdaf4caf8ab88b47c89c2 Mon Sep 17 00:00:00 2001 From: GroceryBoyJr <75502996+GroceryBoyJr@users.noreply.github.com> Date: Thu, 9 Jul 2026 16:28:15 -0400 Subject: [PATCH] SEC-10: CQA of remaining SPO Files --- modules/spo-about.adoc | 1 + modules/spo-applying-profiles.adoc | 1 + modules/spo-configuring-webhooks.adoc | 1 + modules/spo-container-profile-instances.adoc | 1 + modules/spo-log-enricher.adoc | 1 + modules/spo-recording-profiles.adoc | 1 + modules/spo-selinux-permissive.adoc | 1 + modules/spo-selinux-runasany.adoc | 4 +-- modules/spo-uninstall-console.adoc | 5 ++- .../spo-logging.adoc | 12 ++++--- .../spo-overview.adoc | 35 +++++++++++-------- .../spo-selinux.adoc | 4 ++- .../spo-understanding.adoc | 3 +- .../spo-uninstalling.adoc | 7 ++-- 14 files changed, 47 insertions(+), 30 deletions(-) diff --git a/modules/spo-about.adoc b/modules/spo-about.adoc index e9b9db4c237f..2788f0e6605c 100644 --- a/modules/spo-about.adoc +++ b/modules/spo-about.adoc @@ -6,6 +6,7 @@ [id="spo-about_{context}"] = About Security Profiles +[role="_abstract"] Security profiles can increase security at the container level in your cluster. Seccomp security profiles list the syscalls a process can make. Permissions are broader than SELinux, enabling users to restrict operations system-wide, such as `write`. diff --git a/modules/spo-applying-profiles.adoc b/modules/spo-applying-profiles.adoc index 533024c55043..47e80d62f773 100644 --- a/modules/spo-applying-profiles.adoc +++ b/modules/spo-applying-profiles.adoc @@ -18,6 +18,7 @@ endif::[] [id="spo-applying-profiles_{context}"] = Applying {type} profiles to a pod +[role="_abstract"] Create a pod to apply one of the created profiles. ifdef::selinux[] diff --git a/modules/spo-configuring-webhooks.adoc b/modules/spo-configuring-webhooks.adoc index 1eb47cd8b901..e63c59a7dfd3 100644 --- a/modules/spo-configuring-webhooks.adoc +++ b/modules/spo-configuring-webhooks.adoc @@ -6,6 +6,7 @@ [id="spo-configuring-webhooks_{context}"] = Configuring webhooks +[role="_abstract"] Profile binding and profile recording objects can use webhooks. Profile binding and recording object configurations are `MutatingWebhookConfiguration` CRs, managed by the Security Profiles Operator. To change the webhook configuration, the `spod` CR exposes a `webhookOptions` field that allows modification of the `failurePolicy`, `namespaceSelector`, and `objectSelector` variables. This allows you to set the webhooks to "soft-fail" or restrict them to a subset of a namespaces so that even if the webhooks failed, other namespaces or resources are not affected. diff --git a/modules/spo-container-profile-instances.adoc b/modules/spo-container-profile-instances.adoc index 46533c786d9b..be008389119b 100644 --- a/modules/spo-container-profile-instances.adoc +++ b/modules/spo-container-profile-instances.adoc @@ -22,6 +22,7 @@ endif::[] [id="spo-container-profile-instances_{context}"] = Merging per-container profile instances +[role="_abstract"] By default, each container instance records into a separate profile. The Security Profiles Operator can merge the per-container profiles into a single profile. Merging profiles is useful when deploying applications using `ReplicaSet` or `Deployment` objects. .Procedure diff --git a/modules/spo-log-enricher.adoc b/modules/spo-log-enricher.adoc index 18b49732168a..b32e478c8601 100644 --- a/modules/spo-log-enricher.adoc +++ b/modules/spo-log-enricher.adoc @@ -6,6 +6,7 @@ [id="spo-log-enricher_{context}"] = Using the log enricher +[role="_abstract"] The Security Profiles Operator contains a log enrichment feature, which is disabled by default. The log enricher container runs with `privileged` permissions to read the audit logs from the local node. The log enricher runs within the host PID namespace, `hostPID`. [IMPORTANT] diff --git a/modules/spo-recording-profiles.adoc b/modules/spo-recording-profiles.adoc index 81c72cb821bd..e7e4e30f66d7 100644 --- a/modules/spo-recording-profiles.adoc +++ b/modules/spo-recording-profiles.adoc @@ -21,6 +21,7 @@ endif::[] [id="spo-recording-profiles_{context}"] = Recording profiles from workloads +[role="_abstract"] The Security Profiles Operator can record system calls with `ProfileRecording` objects, making it easier to create baseline profiles for applications. When using the log enricher for recording {type} profiles, verify the log enricher feature is enabled. See _Additional resources_ for more information. diff --git a/modules/spo-selinux-permissive.adoc b/modules/spo-selinux-permissive.adoc index adf557454d10..4fd6d3adbd97 100644 --- a/modules/spo-selinux-permissive.adoc +++ b/modules/spo-selinux-permissive.adoc @@ -6,6 +6,7 @@ [id="spo-selinux-permissive_{context}"] = Applying SELinux log policies +[role="_abstract"] To log policy violations or AVC denials, set the `SElinuxProfile` profile to `permissive`. [IMPORTANT] diff --git a/modules/spo-selinux-runasany.adoc b/modules/spo-selinux-runasany.adoc index 879218e12c21..e07df9e70c9f 100644 --- a/modules/spo-selinux-runasany.adoc +++ b/modules/spo-selinux-runasany.adoc @@ -1,6 +1,5 @@ // Module included in the following assemblies: // -// * security/security_profiles_operator/spo-seccomp.adoc // * security/security_profiles_operator/spo-selinux.adoc :_mod-docs-content-type: CONCEPT @@ -8,8 +7,9 @@ = About seLinuxContext: RunAsAny +[role="_abstract"] Recording of SELinux policies is implemented with a webhook that injects a special SELinux type to the pods being recorded. The SELinux type makes the pod run in `permissive` mode, logging all the AVC denials into `audit.log`. By default, a workload is not allowed to run with a custom SELinux policy, but uses an auto-generated type. To record a workload, the workload must use a service account that has permissions to use an SCC that allows the webhook to inject the permissive SELinux type. The `privileged` SCC contains `seLinuxContext: RunAsAny`. -In addition, the namespace must be labeled with `pod-security.kubernetes.io/enforce: privileged` if your cluster enables the link:https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission] because only the `privileged` link:https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged[Pod Security Standard] allows using a custom SELinux policy. +In addition, the namespace must be labeled with `pod-security.kubernetes.io/enforce: privileged` if your cluster enables Pod Security Admission, because only the privileged Pod Security Standard allows using a custom SELinux policy. diff --git a/modules/spo-uninstall-console.adoc b/modules/spo-uninstall-console.adoc index 84ad0f2a7bb2..0ac0d70676b4 100644 --- a/modules/spo-uninstall-console.adoc +++ b/modules/spo-uninstall-console.adoc @@ -1,11 +1,12 @@ // Module included in the following assemblies: // -// * security/security_profiles_operator/spo-troubleshooting.adoc +// * security/security_profiles_operator/spo-uninstalling.adoc :_mod-docs-content-type: PROCEDURE [id="spo-uninstall-console_{context}"] = Uninstall the Security Profiles Operator using the web console +[role="_abstract"] To remove the Security Profiles Operator, you must first delete the `seccomp` and SELinux profiles. After the profiles are removed, you can then remove the Operator and its namespace by deleting the *openshift-security-profiles* project. .Prerequisites @@ -15,8 +16,6 @@ To remove the Security Profiles Operator, you must first delete the `seccomp` an .Procedure -To remove the Security Profiles Operator by using the {product-title} web console: - . Navigate to the *Ecosystem* -> *Installed Operators* page. . Delete all `seccomp` profiles, SELinux profiles, and webhook configurations. diff --git a/security/security_profiles_operator/spo-logging.adoc b/security/security_profiles_operator/spo-logging.adoc index c00270af994f..d3a7eab5d241 100644 --- a/security/security_profiles_operator/spo-logging.adoc +++ b/security/security_profiles_operator/spo-logging.adoc @@ -1,5 +1,5 @@ :_mod-docs-content-type: ASSEMBLY -[id="spo-audit-logging_{context}"] +[id="spo-audit-logging"] = Advanced Audit Logging Framework include::_attributes/common-attributes.adoc[] :context: spo-audit-logging @@ -40,7 +40,7 @@ The Advanced Audit Logging feature uses eBPF as a supplemental data source. Whil Before enabling the Advanced Audit Logging Framework, ensure the following requirements are met. -Security Profiles Operator version 0.10.0 or later is installed. Those instructions can be found at https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/security-profiles-operator#spo-installing_spo-enabling[Installing the Security Profiles Operator]. The Advanced Audit Logging Framework requires Security Profiles Operator version 0.10.0 or later. +Security Profiles Operator version 0.10.0 or later is installed. The Advanced Audit Logging Framework requires Security Profiles Operator version 0.10.0 or later. For node debugging sessions: @@ -50,7 +50,7 @@ For node debugging sessions: If you are using the CRI-O runtime, you must configure it to allow `seccompProfile` to be applied to privileged containers. Add the following flag to your CRI-O runtime configuration: `--privileged-seccomp-profile=/var/lib/kubelet/seccomp/operator/profile1.json`. This is explained in more detail in the Advanced Audit Logging installation and enablement steps. The `--privileged-seccomp-profile` flag is available starting with OCP 4.20 and later. -If you are using any version of SPO before 0.9.0, you must perform a link:http://access.redhat.com/articles/7130594[migration procedure] to install versions 0.9.0 or 0.10.0. The migration procedure converts SPO to operate on cluster-scoped resources. +If you are using any version of SPO before 0.9.0, you must perform a migration procedure to install versions 0.9.0 or 0.10.0. The migration procedure converts SPO to operate on cluster-scoped resources. First-time installation of SPO version 0.10.0 does not require migration. Also, if you are currently on SPO 0.9.0, you do not require migration and can directly upgrade to SPO 0.10.0. @@ -87,10 +87,12 @@ include::modules/spo-log-webhook.adoc[leveloffset=+1] include::modules/spo-log-disable.adoc[leveloffset=+1] -// [role="_additional-resources"] -// [id="additional-resources_spo-logging"] +[id="additional-resources_{context}"] +[role="_additional-resources"] == Additional resources +* xref:../../security/security_profiles_operator/spo-enabling.adoc#spo-installing_spo-enabling[Installing the Security Profiles Operator] +* link:http://access.redhat.com/articles/7130594[migration procedure] * xref:../../security/security_profiles_operator/spo-advanced.adoc#spo-log-enricher_spo-advanced[Using the log enricher] * xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-about_spo-understanding[About security profiles] * xref:../../security/security_profiles_operator/spo-troubleshooting.adoc#spo-inspecting-seccomp-profiles_spo-troubleshooting[Troubleshoot the Security Profiles Operator] diff --git a/security/security_profiles_operator/spo-overview.adoc b/security/security_profiles_operator/spo-overview.adoc index f562262d16f8..98af3bf9e58b 100644 --- a/security/security_profiles_operator/spo-overview.adoc +++ b/security/security_profiles_operator/spo-overview.adoc @@ -4,18 +4,23 @@ include::_attributes/common-attributes.adoc[] :context: spo-overview -{product-title} Security Profiles Operator (SPO) provides a way to define secure computing (https://kubernetes.io/docs/tutorials/security/seccomp/[seccomp]) profiles and SELinux profiles as custom resources, synchronizing profiles to every node in a given namespace. For the latest updates, see the xref:../../security/security_profiles_operator/spo-release-notes.adoc#spo-release-notes[release notes]. - -The SPO can distribute custom resources to each node while a reconciliation loop ensures that the profiles stay up-to-date. See xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-understanding[Understanding the Security Profiles Operator]. - -The SPO manages SELinux policies and seccomp profiles for namespaced workloads. For more information, see xref:../../security/security_profiles_operator/spo-enabling.adoc#spo-enabling[Enabling the Security Profiles Operator]. - -You can create xref:../../security/security_profiles_operator/spo-seccomp.adoc#spo-seccomp[seccomp] and xref:../../security/security_profiles_operator/spo-selinux.adoc#spo-selinux[SELinux] profiles, bind policies to pods, record workloads, and synchronize all worker nodes in a namespace. - -Use xref:../../security/security_profiles_operator/spo-advanced.adoc#spo-advanced[Advanced Security Profile Operator tasks] to enable the log enricher, configure webhooks and metrics, or restrict profiles to a single namespace. - -Use xref:../../security/security_profiles_operator/spo-logging.adoc#spo-advanced[SPO Advanced Audit Logging] to access logs in RHCOS containers for container-level security audit features. - -xref:../../security/security_profiles_operator/spo-troubleshooting.adoc#spo-inspecting-seccomp-profiles_spo-troubleshooting[Troubleshoot the Security Profiles Operator] as needed, or engage link:https://access.redhat.com/support/[Red Hat support]. - -You can xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstall the Security Profiles Operator] by removing the profiles before removing the Operator. +toc::[] + +[role="_abstract"] +{product-title} Security Profiles Operator (SPO) provides a way to define secure computing (seccomp) profiles and SELinux profiles as custom resources, synchronizing profiles to every node in a given namespace. The SPO distributes custom resources to each node while a reconciliation loop ensures that the profiles stay up to date. The SPO manages SELinux policies and seccomp profiles for namespaced workloads. You can create seccomp and SELinux profiles, bind policies to pods, record workloads, and synchronize all worker nodes in a namespace. + +[id="spo-overview_additional-resources"] +[role="_additional-resources"] +== Additional resources + +* link:https://kubernetes.io/docs/tutorials/security/seccomp/[seccomp] +* xref:../../security/security_profiles_operator/spo-release-notes.adoc#spo-release-notes[Security Profiles Operator release notes] +* xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-understanding[Understanding the Security Profiles Operator] +* xref:../../security/security_profiles_operator/spo-enabling.adoc#spo-enabling[Enabling the Security Profiles Operator] +* xref:../../security/security_profiles_operator/spo-seccomp.adoc#spo-seccomp[Managing seccomp profiles] +* xref:../../security/security_profiles_operator/spo-selinux.adoc#spo-selinux[Managing SELinux profiles] +* xref:../../security/security_profiles_operator/spo-advanced.adoc#spo-advanced[Advanced Security Profile Operator tasks] +* xref:../../security/security_profiles_operator/spo-logging.adoc#spo-audit-logging[Advanced Audit Logging Framework] +* xref:../../security/security_profiles_operator/spo-troubleshooting.adoc#spo-inspecting-seccomp-profiles_spo-troubleshooting[Troubleshoot the Security Profiles Operator] +* link:https://access.redhat.com/support/[Red Hat support] +* xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstalling the Security Profiles Operator] diff --git a/security/security_profiles_operator/spo-selinux.adoc b/security/security_profiles_operator/spo-selinux.adoc index bfa2abd6c500..41f911dd0a16 100644 --- a/security/security_profiles_operator/spo-selinux.adoc +++ b/security/security_profiles_operator/spo-selinux.adoc @@ -38,4 +38,6 @@ include::modules/spo-selinux-runasany.adoc[leveloffset=+2] * xref:../../authentication/managing-security-context-constraints.adoc#managing-pod-security-policies[Managing security context constraints] * link:https://cloud.redhat.com/blog/managing-sccs-in-openshift[Managing SCCs in OpenShift] * xref:../../security/security_profiles_operator/spo-advanced.adoc#spo-log-enricher_spo-advanced[Using the log enricher] -* xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-about_spo-understanding[About security profiles] \ No newline at end of file +* xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-about_spo-understanding[About security profiles] +* link:https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission] +* link:https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged[Pod Security Standard] \ No newline at end of file diff --git a/security/security_profiles_operator/spo-understanding.adoc b/security/security_profiles_operator/spo-understanding.adoc index 66fd622e3fdc..f8d75ab14d3f 100644 --- a/security/security_profiles_operator/spo-understanding.adoc +++ b/security/security_profiles_operator/spo-understanding.adoc @@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[] toc::[] +[role="_abstract"] {product-title} administrators can use the Security Profiles Operator to define increased security measures in clusters. [IMPORTANT] @@ -13,4 +14,4 @@ toc::[] The Security Profiles Operator supports only Red Hat Enterprise Linux CoreOS (RHCOS) worker nodes. Red Hat Enterprise Linux (RHEL) nodes are not supported. ==== -include::modules/spo-about.adoc[leveloffset=+1] \ No newline at end of file +include::modules/spo-about.adoc[leveloffset=+1] diff --git a/security/security_profiles_operator/spo-uninstalling.adoc b/security/security_profiles_operator/spo-uninstalling.adoc index baea35fbdd8f..02069e62eb75 100644 --- a/security/security_profiles_operator/spo-uninstalling.adoc +++ b/security/security_profiles_operator/spo-uninstalling.adoc @@ -4,8 +4,9 @@ include::_attributes/common-attributes.adoc[] :context: spo-uninstalling -You can remove the Security Profiles Operator from your cluster by using the {product-title} web console. - toc::[] -include::modules/spo-uninstall-console.adoc[leveloffset=+1] \ No newline at end of file +[role="_abstract"] +You can remove the Security Profiles Operator from your cluster by using the {product-title} web console. + +include::modules/spo-uninstall-console.adoc[leveloffset=+1]