Featured image for Cryostat (was ContainerJFR) topics.

Since Kubernetes 1.21, the old PodSecurityPolicy API is being deprecated and has been removed from versions 1.25 and later. This API will be replaced by the new built-in Pod Security Admission (PSA), which introduces a new set of Pod Security Standards. To support these standards, The Red Hat OpenShift Container Platform introduces new security context constraints (SCC) policies.

With these changes, especially starting with OpenShift 4.12, all namespaces will run in the restricted mode, and pods must be properly configured under the enforced security standards defined globally or on a namespace level to be admitted to launch. See discussions here. This has implications for Cryostat, a container-native JVM application that provides a secure API for profiling and monitoring containers with JDK Flight Recorder, if you're running it on OpenShift.

Security context defaults

By default, the restricted standard is enforced for the operator's deployment and its operands. For the Cryostat application pod, the Operator also selects an fsGroup to ensure that Cryostat can read and write files in its persistent volume. However, these defaults might not work with your settings. Therefore, in versions 2.2.0 and later of the Cryostat Operator, you can configure security contexts for Cryostat workloads.

Prerequisites

To get started, you will need to install Cryostat Operator 2.2.0 on an OpenShift cluster. These steps outlined in this article assume a local OpenShift cluster with Red Hat OpenShift Local (formerly Red Hat CodeReady Containers).

Configure security contexts via Cryostat CR

The Cryostat custom resource (CR) property spec.securityOptions can be set to define security contexts for Cryostat applications, and spec.reportOptions.securityOptions is for its report sidecar. For example:

apiVersion: operator.cryostat.io/v1beta1
kind: Cryostat
metadata:
  name: cryostat-sample
spec:
  securityOptions:
    podSecurityContext:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault
    coreSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
            - ALL
      runAsUser: 1001
    dataSourceSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
            - ALL
    grafanaSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
  reportOptions:
    replicas: 1
    podSecurityContext:
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault
    reportsSecurityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop:
            - ALL
      runAsUser: 1001

On the OpenShift console, open the Advanced Configurations to set Security Context for the Cryostat application (Figure 1).

Security context for Cryostat application
Figure 1: Visit the security context configuration for the Cryostat application.

For the report sidecar, visit Report Options and then Advanced Options to set the security context (Figure 2).

Security context for report sidecard
Figure 2: Visit security context configuration for the report sidecar.

Summary

With the introduction of new SCCs, Cryostat workloads must be configured to meet these new security standards. Since Cryostat Operator 2.2.0, the operator, by default, ensures that operand pods meet the restricted standard. However, you can also define custom security contexts via the Cryostat CR to work with your settings.