Security Context Constraints for Unica on Red Hat OpenShift
For any Security Context Constraint (SCC), perform the following steps:
Procedure
-
If
AllowPrivilegedContainer
is enabled (set toTRUE
) or not enabled, set it toFALSE
. - Do not assign root access to the users specified in the deployment.yaml file.
-
For pods that do not have a
gid
(group ID), perform the following configuration:securityContext: runAsUser: 1000610000
The configuration ensures that the start user of the pods is
1000610000
. The1000610000
user cannot switch to theroot
user or change theroot
user password. -
For the Oracle client, in the listener pod, create a user for a valid group and
perform the following configurations:
securityContext as : securityContext: runAsUser: 1000 runAsGroup: 1001 oracle:x:1000:1000::/home/oracle:/bin/bash dba:x:1001:oracle 1000=oracle and 1001 = dba group
The configuration ensures that the Oracle user also cannot switch to the
root
user or change theroot
user password. -
For the SCC (
anyuid
), configure the following values:allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: true allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: - system:cluster-admins kind: SecurityContextConstraints metadata: annotations: kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. release.openshift.io/create-only: "true" creationTimestamp: "2020-08-24T17:55:03Z" generation: 6 name: anyuid resourceVersion: "23505934" selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/anyuid uid: 43877aab-c522-4ca9-9575-e8b212749e29 priority: 10 readOnlyRootFilesystem: false requiredDropCapabilities: - MKNOD runAsUser: type: RunAsAny seLinuxContext: type: MustRunAs supplementalGroups: type: RunAsAny users: - system:serviceaccount:unica:default volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - projected - secret
-
For the listerner pod, remove all
chmod
orsu
. -
In the listener rc.unicaac, remove the root user
check
and change it tooracle
. - In the Journey configmap, update the namespace from default to unica.