Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/spo-about.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
[id="spo-about_{context}"]
= About Security Profiles

[role="_abstract"]
Security profiles can increase security at the container level in your cluster.

Seccomp security profiles list the syscalls a process can make. Permissions are broader than SELinux, enabling users to restrict operations system-wide, such as `write`.
Expand Down
1 change: 1 addition & 0 deletions modules/spo-applying-profiles.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ endif::[]
[id="spo-applying-profiles_{context}"]
= Applying {type} profiles to a pod

[role="_abstract"]
Create a pod to apply one of the created profiles.

ifdef::selinux[]
Expand Down
1 change: 1 addition & 0 deletions modules/spo-configuring-webhooks.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
[id="spo-configuring-webhooks_{context}"]
= Configuring webhooks

[role="_abstract"]
Profile binding and profile recording objects can use webhooks. Profile binding and recording object configurations are `MutatingWebhookConfiguration` CRs, managed by the Security Profiles Operator.

To change the webhook configuration, the `spod` CR exposes a `webhookOptions` field that allows modification of the `failurePolicy`, `namespaceSelector`, and `objectSelector` variables. This allows you to set the webhooks to "soft-fail" or restrict them to a subset of a namespaces so that even if the webhooks failed, other namespaces or resources are not affected.
Expand Down
1 change: 1 addition & 0 deletions modules/spo-container-profile-instances.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ endif::[]
[id="spo-container-profile-instances_{context}"]
= Merging per-container profile instances

[role="_abstract"]
By default, each container instance records into a separate profile. The Security Profiles Operator can merge the per-container profiles into a single profile. Merging profiles is useful when deploying applications using `ReplicaSet` or `Deployment` objects.

.Procedure
Expand Down
1 change: 1 addition & 0 deletions modules/spo-log-enricher.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
[id="spo-log-enricher_{context}"]
= Using the log enricher

[role="_abstract"]
The Security Profiles Operator contains a log enrichment feature, which is disabled by default. The log enricher container runs with `privileged` permissions to read the audit logs from the local node. The log enricher runs within the host PID namespace, `hostPID`.

[IMPORTANT]
Expand Down
1 change: 1 addition & 0 deletions modules/spo-recording-profiles.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ endif::[]
[id="spo-recording-profiles_{context}"]
= Recording profiles from workloads

[role="_abstract"]
The Security Profiles Operator can record system calls with `ProfileRecording` objects, making it easier to create baseline profiles for applications.

When using the log enricher for recording {type} profiles, verify the log enricher feature is enabled. See _Additional resources_ for more information.
Expand Down
1 change: 1 addition & 0 deletions modules/spo-selinux-permissive.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
[id="spo-selinux-permissive_{context}"]
= Applying SELinux log policies

[role="_abstract"]
To log policy violations or AVC denials, set the `SElinuxProfile` profile to `permissive`.

[IMPORTANT]
Expand Down
4 changes: 2 additions & 2 deletions modules/spo-selinux-runasany.adoc
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
// Module included in the following assemblies:
//
// * security/security_profiles_operator/spo-seccomp.adoc
// * security/security_profiles_operator/spo-selinux.adoc

:_mod-docs-content-type: CONCEPT
[id="spo-selinux-runasany_{context}"]

= About seLinuxContext: RunAsAny

[role="_abstract"]
Recording of SELinux policies is implemented with a webhook that injects a special SELinux type to the pods being recorded. The SELinux type makes the pod run in `permissive` mode, logging all the AVC denials into `audit.log`. By default, a workload is not allowed to run with a custom SELinux policy, but uses an auto-generated type.

To record a workload, the workload must use a service account that has permissions to use an SCC that allows the webhook to inject the permissive SELinux type. The `privileged` SCC contains `seLinuxContext: RunAsAny`.

In addition, the namespace must be labeled with `pod-security.kubernetes.io/enforce: privileged` if your cluster enables the link:https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission] because only the `privileged` link:https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged[Pod Security Standard] allows using a custom SELinux policy.
In addition, the namespace must be labeled with `pod-security.kubernetes.io/enforce: privileged` if your cluster enables Pod Security Admission, because only the privileged Pod Security Standard allows using a custom SELinux policy.
5 changes: 2 additions & 3 deletions modules/spo-uninstall-console.adoc
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
// Module included in the following assemblies:
//
// * security/security_profiles_operator/spo-troubleshooting.adoc
// * security/security_profiles_operator/spo-uninstalling.adoc

:_mod-docs-content-type: PROCEDURE
[id="spo-uninstall-console_{context}"]
= Uninstall the Security Profiles Operator using the web console

[role="_abstract"]
To remove the Security Profiles Operator, you must first delete the `seccomp` and SELinux profiles. After the profiles are removed, you can then remove the Operator and its namespace by deleting the *openshift-security-profiles* project.

.Prerequisites
Expand All @@ -15,8 +16,6 @@ To remove the Security Profiles Operator, you must first delete the `seccomp` an

.Procedure

To remove the Security Profiles Operator by using the {product-title} web console:

. Navigate to the *Ecosystem* -> *Installed Operators* page.

. Delete all `seccomp` profiles, SELinux profiles, and webhook configurations.
Expand Down
12 changes: 7 additions & 5 deletions security/security_profiles_operator/spo-logging.adoc
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
:_mod-docs-content-type: ASSEMBLY
[id="spo-audit-logging_{context}"]
[id="spo-audit-logging"]
= Advanced Audit Logging Framework
include::_attributes/common-attributes.adoc[]
:context: spo-audit-logging
Expand Down Expand Up @@ -40,7 +40,7 @@ The Advanced Audit Logging feature uses eBPF as a supplemental data source. Whil

Before enabling the Advanced Audit Logging Framework, ensure the following requirements are met.

Security Profiles Operator version 0.10.0 or later is installed. Those instructions can be found at https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/security-profiles-operator#spo-installing_spo-enabling[Installing the Security Profiles Operator]. The Advanced Audit Logging Framework requires Security Profiles Operator version 0.10.0 or later.
Security Profiles Operator version 0.10.0 or later is installed. The Advanced Audit Logging Framework requires Security Profiles Operator version 0.10.0 or later.

For node debugging sessions:

Expand All @@ -50,7 +50,7 @@ For node debugging sessions:

If you are using the CRI-O runtime, you must configure it to allow `seccompProfile` to be applied to privileged containers. Add the following flag to your CRI-O runtime configuration: `--privileged-seccomp-profile=/var/lib/kubelet/seccomp/operator/profile1.json`. This is explained in more detail in the Advanced Audit Logging installation and enablement steps. The `--privileged-seccomp-profile` flag is available starting with OCP 4.20 and later.

If you are using any version of SPO before 0.9.0, you must perform a link:http://access.redhat.com/articles/7130594[migration procedure] to install versions 0.9.0 or 0.10.0. The migration procedure converts SPO to operate on cluster-scoped resources.
If you are using any version of SPO before 0.9.0, you must perform a migration procedure to install versions 0.9.0 or 0.10.0. The migration procedure converts SPO to operate on cluster-scoped resources.

First-time installation of SPO version 0.10.0 does not require migration. Also, if you are currently on SPO 0.9.0, you do not require migration and can directly upgrade to SPO 0.10.0.

Expand Down Expand Up @@ -87,10 +87,12 @@ include::modules/spo-log-webhook.adoc[leveloffset=+1]
include::modules/spo-log-disable.adoc[leveloffset=+1]


// [role="_additional-resources"]
// [id="additional-resources_spo-logging"]
[id="additional-resources_{context}"]
[role="_additional-resources"]
== Additional resources

* xref:../../security/security_profiles_operator/spo-enabling.adoc#spo-installing_spo-enabling[Installing the Security Profiles Operator]
* link:http://access.redhat.com/articles/7130594[migration procedure]
* xref:../../security/security_profiles_operator/spo-advanced.adoc#spo-log-enricher_spo-advanced[Using the log enricher]
* xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-about_spo-understanding[About security profiles]
* xref:../../security/security_profiles_operator/spo-troubleshooting.adoc#spo-inspecting-seccomp-profiles_spo-troubleshooting[Troubleshoot the Security Profiles Operator]
Expand Down
35 changes: 20 additions & 15 deletions security/security_profiles_operator/spo-overview.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -4,18 +4,23 @@
include::_attributes/common-attributes.adoc[]
:context: spo-overview

{product-title} Security Profiles Operator (SPO) provides a way to define secure computing (https://kubernetes.io/docs/tutorials/security/seccomp/[seccomp]) profiles and SELinux profiles as custom resources, synchronizing profiles to every node in a given namespace. For the latest updates, see the xref:../../security/security_profiles_operator/spo-release-notes.adoc#spo-release-notes[release notes].

The SPO can distribute custom resources to each node while a reconciliation loop ensures that the profiles stay up-to-date. See xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-understanding[Understanding the Security Profiles Operator].

The SPO manages SELinux policies and seccomp profiles for namespaced workloads. For more information, see xref:../../security/security_profiles_operator/spo-enabling.adoc#spo-enabling[Enabling the Security Profiles Operator].

You can create xref:../../security/security_profiles_operator/spo-seccomp.adoc#spo-seccomp[seccomp] and xref:../../security/security_profiles_operator/spo-selinux.adoc#spo-selinux[SELinux] profiles, bind policies to pods, record workloads, and synchronize all worker nodes in a namespace.

Use xref:../../security/security_profiles_operator/spo-advanced.adoc#spo-advanced[Advanced Security Profile Operator tasks] to enable the log enricher, configure webhooks and metrics, or restrict profiles to a single namespace.

Use xref:../../security/security_profiles_operator/spo-logging.adoc#spo-advanced[SPO Advanced Audit Logging] to access logs in RHCOS containers for container-level security audit features.

xref:../../security/security_profiles_operator/spo-troubleshooting.adoc#spo-inspecting-seccomp-profiles_spo-troubleshooting[Troubleshoot the Security Profiles Operator] as needed, or engage link:https://access.redhat.com/support/[Red Hat support].

You can xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstall the Security Profiles Operator] by removing the profiles before removing the Operator.
toc::[]

[role="_abstract"]
{product-title} Security Profiles Operator (SPO) provides a way to define secure computing (seccomp) profiles and SELinux profiles as custom resources, synchronizing profiles to every node in a given namespace. The SPO distributes custom resources to each node while a reconciliation loop ensures that the profiles stay up to date. The SPO manages SELinux policies and seccomp profiles for namespaced workloads. You can create seccomp and SELinux profiles, bind policies to pods, record workloads, and synchronize all worker nodes in a namespace.

[id="spo-overview_additional-resources"]
[role="_additional-resources"]
== Additional resources

* link:https://kubernetes.io/docs/tutorials/security/seccomp/[seccomp]
* xref:../../security/security_profiles_operator/spo-release-notes.adoc#spo-release-notes[Security Profiles Operator release notes]
* xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-understanding[Understanding the Security Profiles Operator]
* xref:../../security/security_profiles_operator/spo-enabling.adoc#spo-enabling[Enabling the Security Profiles Operator]
* xref:../../security/security_profiles_operator/spo-seccomp.adoc#spo-seccomp[Managing seccomp profiles]
* xref:../../security/security_profiles_operator/spo-selinux.adoc#spo-selinux[Managing SELinux profiles]
* xref:../../security/security_profiles_operator/spo-advanced.adoc#spo-advanced[Advanced Security Profile Operator tasks]
* xref:../../security/security_profiles_operator/spo-logging.adoc#spo-audit-logging[Advanced Audit Logging Framework]
* xref:../../security/security_profiles_operator/spo-troubleshooting.adoc#spo-inspecting-seccomp-profiles_spo-troubleshooting[Troubleshoot the Security Profiles Operator]
* link:https://access.redhat.com/support/[Red Hat support]
* xref:../../security/security_profiles_operator/spo-uninstalling.adoc#spo-uninstalling[Uninstalling the Security Profiles Operator]
4 changes: 3 additions & 1 deletion security/security_profiles_operator/spo-selinux.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,6 @@ include::modules/spo-selinux-runasany.adoc[leveloffset=+2]
* xref:../../authentication/managing-security-context-constraints.adoc#managing-pod-security-policies[Managing security context constraints]
* link:https://cloud.redhat.com/blog/managing-sccs-in-openshift[Managing SCCs in OpenShift]
* xref:../../security/security_profiles_operator/spo-advanced.adoc#spo-log-enricher_spo-advanced[Using the log enricher]
* xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-about_spo-understanding[About security profiles]
* xref:../../security/security_profiles_operator/spo-understanding.adoc#spo-about_spo-understanding[About security profiles]
* link:https://kubernetes.io/docs/concepts/security/pod-security-admission/[Pod Security Admission]
* link:https://kubernetes.io/docs/concepts/security/pod-security-standards/#privileged[Pod Security Standard]
3 changes: 2 additions & 1 deletion security/security_profiles_operator/spo-understanding.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@ include::_attributes/common-attributes.adoc[]

toc::[]

[role="_abstract"]
{product-title} administrators can use the Security Profiles Operator to define increased security measures in clusters.

[IMPORTANT]
====
The Security Profiles Operator supports only Red Hat Enterprise Linux CoreOS (RHCOS) worker nodes. Red Hat Enterprise Linux (RHEL) nodes are not supported.
====

include::modules/spo-about.adoc[leveloffset=+1]
include::modules/spo-about.adoc[leveloffset=+1]
7 changes: 4 additions & 3 deletions security/security_profiles_operator/spo-uninstalling.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@
include::_attributes/common-attributes.adoc[]
:context: spo-uninstalling

You can remove the Security Profiles Operator from your cluster by using the {product-title} web console.

toc::[]

include::modules/spo-uninstall-console.adoc[leveloffset=+1]
[role="_abstract"]
You can remove the Security Profiles Operator from your cluster by using the {product-title} web console.

include::modules/spo-uninstall-console.adoc[leveloffset=+1]