DO280 - ch08s03

Bookmark this page

Allow Application Access to Kubernetes APIs

Objectives

Run an application that requires access to the Kubernetes API of the application's cluster.

Securing Kubernetes APIs

With the Kubernetes APIs, a user or an application can query and modify the cluster state. To protect your cluster from malicious interactions, you must grant access to the different Kubernetes APIs.

Role-based access control (RBAC) authorization is preconfigured in OpenShift. An application requires explicit RBAC authorization to access restricted Kubernetes APIs.

Application Authorization with Service Accounts

A service account is a Kubernetes object within a project. The service account represents the identity of an application that runs in a pod.

To grant an application access to a Kubernetes API, take these actions:

Create an application service account.
Grant the service account access to the Kubernetes API.
Assign the service account to the application pods.

If the pod definition does not specify a service account, then the pod uses the default service account. OpenShift grants no rights to the default service account, which is expected for business workloads. It is not recommended to grant additional permissions to the default service account, because it grants those additional permissions to all pods in the project, which might not be intended.

Use Cases for Kubernetes API Access

Regular business applications can successfully use the default service account, without requiring access to the Kubernetes APIs. On the contrary, infrastructure applications need access to monitor or to modify the cluster resources. These infrastructure applications might be classified into the following use cases:

Monitoring Applications

Applications in this category need read access to watch cluster resources or to verify cluster health. For example, a service such as Red Hat Advanced Cluster Security (ACS) needs read access to scan your cluster containers for vulnerabilities.

Controllers

Controllers are applications that constantly watch and try to reach the intended state of a resource.

For example, GitOps tools, such as ArgoCD, have controllers that watch cluster resources that are stored in a repository, and update the cluster to react to changes in that repository.

Operators

Operators automate creating, configuring, and managing instances of Kubernetes-native applications. Therefore, operators need permissions for configuration and maintenance tasks.

For example, a database operator might create a deployment when it detects a CR that defines a new database.

Application Kubernetes API Authorization with Roles

To provide the application with the needed permissions only, you can create roles or cluster roles that describe the application requirements. Roles grant permissions to Kubernetes API resources within a single namespace. Cluster roles grant permissions, either within one or more namespaces, or to all the cluster.

For example, you can create a cluster role for an application to read secrets.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: secret-reader
rules:
- apiGroups: [""] 
  resources: ["secrets"] 
  verbs: ["get", "watch", "list"]

	The API groups, where an empty string represents the core API
	The resources that the role refers to
	The verbs or actions that the role allows the application to perform on the resource

You can also use the default cluster roles that OpenShift defines, which have wider permissions. For example, you can use the edit cluster role to get read access on secrets, as in the previous secret-reader cluster role.

The edit cluster role is less restrictive, and allows the application to create or update most objects.

Binding Roles to Service Accounts

For an application to use the role permissions, you must bind the role or cluster role to the application service account.

To bind a role or cluster role to a service account in a namespace, you can use the oc adm policy command with the add-role-to-user subcommand.

This command assigns a cluster role to a service account that exists in the current project:

[user@host ~]$ oc adm policy add-role-to-user cluster-role -z service-account

You can optionally use -z to avoid specifying the system:serviceaccount:project prefix when you assign the role to a service account that exists in the current project.

To create a cluster role binding, you can use the oc adm policy command with the add-cluster-role-to-user subcommand.

The following command assigns a cluster role to a service account with a cluster scope:

[user@host ~]$ oc adm policy add-cluster-role-to-user cluster-role service-account

Assigning an Application Service Account to Pods

OpenShift uses RBAC authorization by using the roles that are associated to the service account to grant or deny access to the resource. You specify the service account name in the spec.serviceAccountName pod definition field.

Applications must use the service account token internally when accessing a Kubernetes API. In earlier OpenShift versions than 4.11, OpenShift generated a secret with a token when creating a service account. Starting from OpenShift 4.11, tokens are no longer generated automatically. You must use the TokenRequest API to generate the service account token. You must mount the token as a pod volume for the application to access it.

Scoping Application Access to Kubernetes API Resources

An application might require access to a resource in the same namespace, or in a different namespace, or in all namespaces.

Accessing API Resources in the Same Namespace

To grant an application access to resources in the same namespace, you need a role or a cluster role and a service account in that namespace. You then create a role binding that associates to the service account the actions that the role grants on the resource. Using a role binding with a cluster role grants access only to the resource within the namespace.

Accessing API Resources in a Different Namespace

To give an application access to a resource in a different namespace, you must create the role binding in the project with the resource. The subject for the binding references the application service account that is in a different namespace from the binding.

You can use the following syntax to refer to service accounts from other projects:

system:serviceaccount:project:service-account

For example, if you have an application pod in the project-1 project that requires access to project-2 secrets, then you must take these actions:

Create an app-sa service account in the project-1 project.
Assign the app-sa service account to your application pod.
Create a role binding on the project-2 project that references the app-sa service account and the secret-reader role or cluster role.

Figure 8.1: Grant access to a service account to a different project

In this way, you restrict an application's access to a Kubernetes API to specified namespaces.

Accessing API Resources in All Namespaces

Grant your application service account the cluster role by using a cluster role binding. The cluster role binding grants the application cluster access to the API.

References

For more information, refer to the Using RBAC to Define and Apply Permissions chapter in the Red Hat OpenShift Container Platform 4.14 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#using-rbac

For more information, refer to the Understanding and Creating Service Accounts chapter in the Red Hat OpenShift Container Platform 4.14 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#understanding-and-creating-service-accounts

For more information, refer to the Using Service Accounts in Applications chapter in the Red Hat OpenShift Container Platform 4.14 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#using-service-accounts

For more information, refer to the About Automatically-generated Service Account Token Secrets section in the Red Hat OpenShift Container Platform 4.14 Authentication and Authorization documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/authentication_and_authorization/index#auto-generated-sa-token-secrets_using-service-accounts

Discuss Red Hat OpenShift Administration II: Configuring a Production Cluster

Go to community

Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280)

Haley_Ruccio

26 lip 2023

Configure, manage, and troubleshoot OpenShift clusters and containerized applicationsRed Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280) prepares OpenShift Cluster Administrators to perform daily administration tasks on clusters that host applications provided by internal teams and external vendors, enable self-service for cluster users with different roles, and deploy applications that require special permissions such as such as CI/CD tooling, performance monitoring, and security scanners. This course focuses on configuring multi-tenancy and security features of OpenShift as well as managing OpenShift add-ons based on operators.The skills you learn in this course can be applied using all versions of OpenShift, including Red Hat OpenShift on AWS (ROSA), Azure Red Hat OpenShift, and OpenShift Container Platform.This course is based on OpenShift Container Platform 4.12.5-10 Course TopicsDeploying packaged applications using manifests, templates, kustomize, and helm.Configuring authentication and authorization for users and applications.Protecting network traffic with network policies and exposing applications with proper network access.Deploying and managing applications using resources manifests.Enabling developer self-service of application projects.Managing OpenShift cluster updates and Kubernetes operator updates.Target AudienceSystem Administrators and Platform Operators interested in the ongoing management of OpenShift clusters, applications, users, and add-ons.Site Reliability Engineers interested in the ongoing maintenance and troubleshooting of Kubernetes clusters.System and Software Architects interested in understanding the security of an OpenShift cluster.Recommended TrainingTake our free assessment to gauge whether this offering is the best fit for your skills.Prerequisite: Red Hat OpenShift I: Containers & Kubernetes (DO180 v4.12), or equivalent skills deploying and managing Kubernetes applications using the OpenShift web console and command-line interfaces.Technology considerationsThis course requires internet access to access the cloud-based classroom environment that provides an OpenShift cluster and a remote administrator’s workstation.

476

About pod security standards and warnings

alexcorcoles

17 kwi 2023

(This material has been created with the inputs of instructors and other people. We are trying to get this material published as soon as possible to address some concerns with DO180 and DO280.)With the default configuration, any namespace that you create on OpenShift 4.12 has the following labels: pod-security.kubernetes.io/audit: restrictedpod-security.kubernetes.io/audit-version: v1.24pod-security.kubernetes.io/warn: restrictedpod-security.kubernetes.io/warn-version: v1.24 These labels activate auditing and warning of the restricted pod security standard. The Kubernetes documentation describes the restricted pod security standard. Pod security standards such as restricted are not directly related to security context constraints such as the restricted SCC.Kubernetes uses an admission controller to reject pods that do not comply with pod security standards. An admission controller is a Kubernetes component that inspects every Kubernetes resource before its creation, and acts before Kubernetes creates the resource. This action can include rejecting the creation of the resource, or modifying the resource.The pod security standards are policies that include properties that workloads must follow. For example, the restricted standard requires that containers set the securityContext.allowPrivilegeEscalation field to false.Pod security standards apply both to workloads, such as deployments and jobs, and to pods.When a pod is created, the admission controller inspects the container specifications and enumerates the fields that violate the pod security standard of the namespace. The admission controller inspects the pod-security labels in the namespace to decide which pod security standard to apply (restricted, baseline, or privileged), and which action to take on violations. Namespaces can audit, warn, or enforce pod security standard violations. When the pod-security.kubernetes.io/audit annotation is set to restricted, the admission controller prevents the creation of pods that violate the security standard. When the pod-security.kubernetes.io/audit and pod-security.kubernetes.io/warn annotations are defined in the project, the admission controller does not block the creation of pods, but registers audit events or warnings.The admission controller does not enforce pod security standards for workloads. If the namespace is configured to enforce a pod security standard, then you can create a violating workload. The admission controller enforces only pod security policies on pods.Cluster administrators can use pod security standards to ensure that pods and workloads in namespaces limit their privileges. By limiting privileges, cluster administrators can mitigate what malicious pods can do.The default configuration of user namespaces in OpenShift does not restrict any workload; it only notifies users when they create workloads that do not follow pod security standards that might be enforced in future OpenShift versions.Security Context ConstraintsOpenShift introduced security context constraints (SCC) before the introduction of pod security standards in Kubernetes. SCCs automatically make security modifications to pods when they are created. By default, the system:openshift:scc:restricted-v2 cluster role binding applies to all authenticated users, so regular user workloads use the restricted-v2 SCC. For example, when you execute the following command to create a workload without any security configuration, the SCC adds security configuration to the pods: [user@host ~]$ oc create deployment test --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx (You can add the --dry-run=client -o yaml options to view the deployment manifest. The deployment manifest does not contain the security properties, which are described later.)If you inspect the pods that the deployment created, the SCC makes the following changes: [user@host ~]$ oc get pod test-b8d5658b6-7bxfs -o yamlapiVersion: v1kind: Podmetadata: annotations:... output omitted... openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default...output omitted...spec: containers: - image: registry.ocp4.example.com:8443/redhattraining/hello-world-nginx imagePullPolicy: Always name: hello-world-nginx resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000690000... output omitted... securityContext: fsGroup: 1000690000 seLinuxOptions: level: s0:c26,c20 seccompProfile: type: RuntimeDefault... output omitted... These restrictions satisfy the restricted pod security policy.The result of these defaults means that when creating a workload (such as a deployment) in a namespace without any customization, the restricted pod security standard applies, but the admission controller only warns and audits. If the workload does not satisfy the pod security standard, then the admission controller allows the workload to be created, but prints a message such as the following warning: Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "example" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "example" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "database" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "example" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") However, by default Kubernetes creates the deployment pods with the restricted-v2 SCC, with the restrictions that the previous warning included. Due to the following factors, workloads generate only a warning, and the pod security standard admission controller allows their pods:The pod security standard admission controller never enforces pod security standards on workloads (only on pods).By default, namespaces do not enforce pod security standards on pods.By default, regular workloads create pods by using the restricted-v2 SCC, which satisfies the restricted pod security standard.Even if future versions of OpenShift change the default namespace configuration to enforce the restricted pod security standard, users will continue to be able to create workloads without explicitly declaring the restrictions that the pod security standard requires, because the restricted-v2 SCC will apply such restrictions automatically.You can take the following approaches to handling pod security:For most workloads, the restricted-v2 SCC limits pod privileges adequately. When creating a workload, you receive the warning, but the workload creates pods and works correctly.You can also create your workloads by providing a full specification of the security constraints to apply, without relying on the SCC to provide the configuration. By following this approach, privileges are more explicit, and you have greater control, so you can adjust more precisely the specific privileges that are granted to workloads.When the restricted-v2 SCC and the default restricted pod security standard are not adequate for your workload, because either you require further privileges, or you need further restrictions, you must use an existing SCC, or create a custom SCC, and provide explicit security specifications. You can also adjust the namespace labels to choose a different pod security standard, and decide to audit, log, or enforce the standard.

1473

Welcome to the Red Hat OpenShift Administration II (DO280) group in the Red Hat Learning Community!

Deanna

17 kwi 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster!To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO280.Read more about Red Hat OpenShift Administration II here.Thanks!

1334

Revision: do280-4.14-08d11e1