Security Context Constraints for Unica on Red Hat OpenShift

For any Security Context Constraint (SCC), perform the following steps:

Procedure

  1. If AllowPrivilegedContainer is enabled (set to TRUE) or not enabled, set it to FALSE.
  2. Do not assign root access to the users specified in the deployment.yaml file.
  3. For pods that do not have a gid (group ID), perform the following configuration:
    securityContext:
              runAsUser: 1000610000

    The configuration ensures that the start user of the pods is 1000610000. The 1000610000 user cannot switch to the root user or change the root user password.

  4. For the Oracle client, in the listener pod, create a user for a valid group and perform the following configurations:
    securityContext as :
              securityContext:
                  runAsUser: 1000
                  runAsGroup: 1001
    
    oracle:x:1000:1000::/home/oracle:/bin/bash
    dba:x:1001:oracle
    1000=oracle and 1001 = dba group

    The configuration ensures that the Oracle user also cannot switch to the root user or change the root user password.

  5. For the SCC (anyuid), configure the following values:
    allowHostDirVolumePlugin: false
    allowHostIPC: false
    allowHostNetwork: false
    allowHostPID: false
    allowHostPorts: false
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: false
    allowedCapabilities: null
    apiVersion: security.openshift.io/v1
    defaultAddCapabilities: null
    fsGroup:
      type: RunAsAny
    groups:
    - system:cluster-admins
    kind: SecurityContextConstraints
    metadata:
      annotations:
        kubernetes.io/description: anyuid provides all features of the restricted SCC
          but allows users to run with any UID and any GID.
        release.openshift.io/create-only: "true"
      creationTimestamp: "2020-08-24T17:55:03Z"
      generation: 6
      name: anyuid
      resourceVersion: "23505934"
      selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid
      uid: 43877aab-c522-4ca9-9575-e8b212749e29
    priority: 10
    readOnlyRootFilesystem: false
    requiredDropCapabilities:
    - MKNOD
    runAsUser:
      type: RunAsAny
    seLinuxContext:
      type: MustRunAs
    supplementalGroups:
      type: RunAsAny
    users:
    - system:serviceaccount:unica:default
    volumes:
    - configMap
    - downwardAPI
    - emptyDir
    - persistentVolumeClaim
    - projected
    - secret
    
  6. For the listerner pod, remove all chmod or su.
  7. In the listener rc.unicaac, remove the root user check and change it to oracle.
  8. In the Journey configmap, update the namespace from default to unica.