Custom Security Context Constraint details for Tanzu Application Platform
Custom Security Context Constraint (commonly known as SCC) details for Tanzu Application Platform (commonly known as TAP) components are as follows:
- Application Accelerator on OpenShift cluster
- Application Live View on OpenShift
- Application Single Sign-On for OpenShift cluster
- Contour for OpenShift cluster
- Developer Conventions for OpenShift cluster
- Tanzu Build Service for OpenShift cluster
Application Accelerator on OpenShift
On OpenShift clusters, Application Accelerator must run with a custom SecurityContextConstraint (SCC) to enable compliance with restricted Kubernetes pod security standards. Tanzu Application Platform configures the following SCC for Application Accelerator when you configure the kubernetes_distribution: openshift key in the tap-values.yaml file.
Specification follows:
#@ load("@ytt:data", "data")
#@ load("@ytt:assert", "assert")
#@ kubernetes_distribution = data.values.kubernetes_distribution
#@ validDistributions = [None, "", "openshift"]
#@ if kubernetes_distribution not in validDistributions:
#@ assert.fail("{} not in {}".format(kubernetes_distribution, validDistributions))
#@ end
#@ if kubernetes_distribution == "openshift":
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: accelerator-system-nonroot-scc
namespace: accelerator-system
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- nonroot
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: accelerator-system-nonroot-scc
namespace: accelerator-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: accelerator-system-nonroot-scc
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:accelerator-system
#@ end
Application Live View on OpenShift
Application Live View must run with a custom SecurityContextConstraint (SCC) to enable compliance with restricted Kubernetes Pod Security Standards on Openshift. Tanzu Application Platform configures the following SCC for Application Live View back end, Application Live View connector, and Application Live View convention service when you configure the kubernetes_distribution: openshift key in the tap-values.yaml file.
The following is a SecurityContextConstraints specification for Application Live View connector:
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: appliveview-connector-restricted-with-seccomp
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
seccompProfiles:
- runtime/default
The preceding SecurityContextConstraints specification is applicable to Application Live View back end and Application Live View convention service as well.
Application Single Sign-On for OpenShift cluster
On OpenShift clusters, AppSSO must run with a custom SecurityContextConstraint (SCC) to enable compliance with restricted Kubernetes Pod Security Standards. Tanzu Application Platform configures the following SCC for AppSSO controller and its AuthServer managed resources when you configure the kubernetes_distribution: openshift key in the tap-values.yaml file.
Specification follows:
---
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: appsso-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: MustRunAs
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
seccompProfiles:
- 'runtime/default'
AppSSO controller’s ServiceAccount is given the following additional permissions, including a use permission for AppSSO SCC, so AuthServer can use the custom SCC:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- security.openshift.io
resourceNames:
- appsso-scc
resources:
- securitycontextconstraints
verbs:
- "use"
Contour for OpenShift cluster
On OpenShift clusters, Contour must run with a custom SecurityContextConstraint (SCC) to enable compliance with restricted Kubernetes Pod Security Standards. Tanzu Application Platform configures the following SCC for the service accounts in the tanzu-system-ingress namespace, which applies to Contour’s controller and Envoy pods, when you configure the kubernetes_distribution: openshift key in the tap-values.yaml file.
Specification follows:
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
kubernetes.io/description: nonroot provides all features of the restricted SCC
but allows users to run with any non-root UID. The user must specify the UID
or it must be specified on the by the manifest of the container runtime. On
top of the legacy 'nonroot' SCC, it also requires to drop ALL capabilities and
does not allow privilege escalation binaries. It will also default the seccomp
profile to runtime/default if unset, otherwise this seccomp profile is required.
name: contour-seccomp-nonroot-v2
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
seccompProfiles:
- runtime/default
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
The SCC is bound to the service accounts by using the following Role and RoleBinding:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: contour-seccomp-nonroot-v2
namespace: tanzu-system-ingress
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- contour-seccomp-nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: contour-seccomp-nonroot-v2
namespace: tanzu-system-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: contour-seccomp-nonroot-v2
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:tanzu-system-ingress
Developer Conventions for OpenShift cluster
On OpenShift clusters, Developer Conventions must run with a custom SecurityContextConstraint (SCC) to enable compliance with restricted Kubernetes pod security standards. Tanzu Application Platform configures the following SCC for the Developer Convention’s webhook when you configure the kubernetes_distribution: openshift key in the tap-values.yaml file.
Specification follows:
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: developer-conventions-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities: null
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- secret
seccompProfiles: []
groups:
- system:serviceaccounts:developer-conventions
Tanzu Build Service for OpenShift cluster
On OpenShift clusters Tanzu Build Service must run with a custom Security Context Constraint (SCC) to enable compliance. Tanzu Application Platform configures the following SCC for Tanzu Build Service when you configure the kubernetes_distribution: openshift key in the tap-values.yaml file.
---
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: tbs-restricted-scc-with-seccomp
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities:
- NET_BIND_SERVICE
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: MustRunAs
seccompProfiles:
- runtime/default
supplementalGroups:
type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
It also applies the following RBAC to allow Tanzu Build Service services to use the SCC:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
apps.tanzu.vmware.com/aggregate-to-workload: "true"
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: system:tbs:scc:restricted-with-seccomp
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- tbs-restricted-scc-with-seccomp
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:tbs:scc:restricted-with-seccomp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:tbs:scc:restricted-with-seccomp
subjects:
- kind: ServiceAccount
namespace: build-service
name: dependency-updater-serviceaccount
- kind: ServiceAccount
namespace: build-service
name: dependency-updater-controller-serviceaccount
- kind: ServiceAccount
namespace: build-service
name: secret-syncer-service-account
- kind: ServiceAccount
namespace: build-service
name: warmer-service-account
- kind: ServiceAccount
namespace: build-service
name: build-service-daemonset-serviceaccount
- kind: ServiceAccount
namespace: cert-injection-webhook
name: cert-injection-webhook-sa
- kind: ServiceAccount
namespace: kpack
name: kp-default-repository-serviceaccount
- kind: ServiceAccount
namespace: kpack
name: kpack-pull-lifecycle-serviceaccount
- kind: ServiceAccount
namespace: kpack
name: controller
- kind: ServiceAccount
namespace: kpack
name: webhook
- kind: ServiceAccount
namespace: stacks-operator-system
name: controller-manager
