Chore(OpenShift): Add openshift scc docs to run experiments on openshift clusters (#3304)

Signed-off-by: udit <udit@chaosnative.com>
2021-10-21 14:38:56 +05:30 · 2021-10-21 14:38:56 +05:30 · 2ec87ba9da
parent 5f2bab7e09
commit 2ec87ba9da
2 changed files with 92 additions and 0 deletions
--- a/mkdocs/docs/experiments/concepts/security/openshift-scc.md
+++ b/mkdocs/docs/experiments/concepts/security/openshift-scc.md
@ -0,0 +1,91 @@
+# OpenShift Security Context Constraint (SCC)
+
+Security context constraints allow administrators to control permissions for pods in a cluster. A service account provides an identity for processes that run in a Pod. The service account within a project which applications would usually be run as is the <code>default</code> service account. You may run other applications in the same project, and don't necessarily want to override the privileges used for all applications, create a new service account which can be granted the special rights. In the project where the application is to run. For example run install litmus-admin service account.
+
+```bash
+$ oc apply -f https://litmuschaos.github.io/litmus/litmus-admin-rbac.yaml
+
+serviceaccount/litmus-admin created
+clusterrole.rbac.authorization.k8s.io/litmus-admin created
+clusterrolebinding.rbac.authorization.k8s.io/litmus-admin created
+
+```
+
+The next step is that which must be run as a cluster administrator. It is the granting of the appropriate rights to the service account. This is done by specifying that the service account should run with a specific security context constraint (SCC).
+
+As an administrator, you can see the list of SCCs that are defined in the cluster by running the oc get scc command.
+
+```bash
+$ oc get scc --as system:admin
+
+NAME               PRIV      CAPS      SELINUX     RUNASUSER          FSGROUP     SUPGROUP    PRIORITY   READONLYROOTFS   VOLUMES
+anyuid             false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    10         false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
+hostaccess         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath persistentVolumeClaim projected secret]
+hostmount-anyuid   false     []        MustRunAs   RunAsAny           RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir hostPath nfs persistentVolumeClaim projected secret]
+hostnetwork        false     []        MustRunAs   MustRunAsRange     MustRunAs   MustRunAs   <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
+nonroot            false     []        MustRunAs   MustRunAsNonRoot   RunAsAny    RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
+privileged         true      [*]       RunAsAny    RunAsAny           RunAsAny    RunAsAny    <none>     false            [*]
+restricted         false     []        MustRunAs   MustRunAsRange     MustRunAs   RunAsAny    <none>     false            [configMap downwardAPI emptyDir persistentVolumeClaim projected secret]
+```
+
+By default applications would run under the <code>restricted</code> SCC. We can use make use of the default SCC or can create our own SCC to provide the litmus experiment service account (here litmus-admin) to run all the experiments. Here is one such SCC that can be used:
+
+
+<i>litmus-scc.yaml</i>
+```bash
+
+allowHostDirVolumePlugin: true
+allowHostIPC: false
+allowHostNetwork: true
+allowHostPID: true
+allowHostPorts: true
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+- '*'
+apiVersion: security.openshift.io/v1
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+groups: []
+kind: SecurityContextConstraints
+metadata:
+  name: litmus-scc
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:litmus:agro
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- hostPath
+- persistentVolumeClaim
+- projected
+- secret
+```
+
+Install the SCC
+
+```bash
+$ oc create -f litmus-scc.yaml
+securitycontextconstraints.security.openshift.io/litmus-scc created
+```
+
+Now to associate the new service account with the SCC, run the given command
+
+```bash
+$ oc adm policy add-scc-to-user litmus-scc -z litmus-admin --as system:admin -n litmus
+clusterrole.rbac.authorization.k8s.io/system:openshift:scc:litmus-scc added: "litmus-admin"
+```
+
+The <code>-z</code> option indicates to apply the command to the service account in the current project.<br>
+To <code>add-scc-to-user</code> add the name of SCC.<br>
+Provide the namespace of the target service account after <code>-n</code>.
--- a/mkdocs/mkdocs.yml
+++ b/mkdocs/mkdocs.yml
@ -170,6 +170,7 @@ nav:
      - Security:  
          - Pod Security Policies: experiments/concepts/security/psp.md
          - Kyverno Policies: experiments/concepts/security/kyverno-policies.md
+          - OpenShift SCC: experiments/concepts/security/openshift-scc.md
      - AWS IAM Integration: experiments/concepts/IAM/awsIamIntegration.md
    - Litmus FAQ:
      - Contents: experiments/faq/content.md