Since Kubernetes 1.21, the old PodSecurityPolicy API is being deprecated and has been removed from versions 1.25 and later. This API will be replaced by the new built-in Pod Security Admission (PSA), which introduces a new set of Pod Security Standards. To support these standards, The Red Hat OpenShift Container Platform introduces new security context constraints (SCC) policies.
With these changes, especially starting with OpenShift 4.12, all namespaces will run in the restricted mode, and pods must be properly configured under the enforced security standards defined globally or on a namespace level to be admitted to launch. See discussions here. This has implications for Cryostat, a container-native JVM application that provides a secure API for profiling and monitoring containers with JDK Flight Recorder, if you're running it on OpenShift.
Security context defaults
By default, the
restricted standard is enforced for the operator's deployment and its operands. For the Cryostat application pod, the Operator also selects an
fsGroup to ensure that Cryostat can read and write files in its persistent volume. However, these defaults might not work with your settings. Therefore, in versions 2.2.0 and later of the Cryostat Operator, you can configure security contexts for Cryostat workloads.
To get started, you will need to install Cryostat Operator 2.2.0 on an OpenShift cluster. These steps outlined in this article assume a local OpenShift cluster with Red Hat OpenShift Local (formerly Red Hat CodeReady Containers).
Configure security contexts via Cryostat CR
The Cryostat custom resource (CR) property
spec.securityOptions can be set to define security contexts for Cryostat applications, and
spec.reportOptions.securityOptions is for its report sidecar. For example:
apiVersion: operator.cryostat.io/v1beta1 kind: Cryostat metadata: name: cryostat-sample spec: securityOptions: podSecurityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault coreSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsUser: 1001 dataSourceSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL grafanaSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL reportOptions: replicas: 1 podSecurityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault reportsSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsUser: 1001
On the OpenShift console, open the Advanced Configurations to set Security Context for the Cryostat application (Figure 1).
For the report sidecar, visit Report Options and then Advanced Options to set the security context (Figure 2).
With the introduction of new SCCs, Cryostat workloads must be configured to meet these new security standards. Since Cryostat Operator 2.2.0, the operator, by default, ensures that operand pods meet the
restricted standard. However, you can also define custom security contexts via the Cryostat CR to work with your settings.