Since Kubernetes 1.21, the old PodSecurityPolicy API is being deprecated and has been removed from versions 1.25 and later. This API will be replaced by the new built-in Pod Security Admission (PSA), which introduces a new set of Pod Security Standards. To support these standards, The Red Hat OpenShift Container Platform introduces new security context constraints (SCC) policies.
With these changes, especially starting with OpenShift 4.12, all namespaces will run in the restricted mode, and pods must be properly configured under the enforced security standards defined globally or on a namespace level to be admitted to launch. See discussions here. This has implications for Cryostat, a container-native JVM application that provides a secure API for profiling and monitoring containers with JDK Flight Recorder, if you're running it on OpenShift.
Security context defaults
By default, the restricted
standard is enforced for the operator's deployment and its operands. For the Cryostat application pod, the Operator also selects an fsGroup
to ensure that Cryostat can read and write files in its persistent volume. However, these defaults might not work with your settings. Therefore, in versions 2.2.0 and later of the Cryostat Operator, you can configure security contexts for Cryostat workloads.
Prerequisites
To get started, you will need to install Cryostat Operator 2.2.0 on an OpenShift cluster. These steps outlined in this article assume a local OpenShift cluster with Red Hat OpenShift Local (formerly Red Hat CodeReady Containers).
Configure security contexts via Cryostat CR
The Cryostat custom resource (CR) property spec.securityOptions
can be set to define security contexts for Cryostat applications, and spec.reportOptions.securityOptions
is for its report sidecar. For example:
apiVersion: operator.cryostat.io/v1beta1
kind: Cryostat
metadata:
name: cryostat-sample
spec:
securityOptions:
podSecurityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
coreSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsUser: 1001
dataSourceSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
grafanaSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
reportOptions:
replicas: 1
podSecurityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
reportsSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsUser: 1001
On the OpenShift console, open the Advanced Configurations to set Security Context for the Cryostat application (Figure 1).
For the report sidecar, visit Report Options and then Advanced Options to set the security context (Figure 2).
Summary
With the introduction of new SCCs, Cryostat workloads must be configured to meet these new security standards. Since Cryostat Operator 2.2.0, the operator, by default, ensures that operand pods meet the restricted
standard. However, you can also define custom security contexts via the Cryostat CR to work with your settings.