10. Configure Application Security

Question 1

1. Configure and manage service accounts

Answer 1

Create service accounts
A service account is a Kubernetes object within a project. The service account represents the identity of an application that runs in a pod

ServiceAccount SA
oc create sa mysvc-account
oc create serviceaccount mysvc-account2
To learn more about SA, check the documentation.

Configure and manage service accounts
Use SA
# set a servicaccount (sa) in exisiting deployment
oc set serviceaccount deployment/<deployment-name> <service-account-name></service-account-name></deployment-name>

# add the sa in your workload manifest directly
…
spec:
serviceAccountName: <service-account-name>
containers:
...</service-account-name>

# check sa options
oc explain sa

Question 2

2. Run privileged applications

Question 3

3. Create service accounts

Answer 3

See security context constraints section below.

Question 4

4. Manage and apply permissions using security context constraints

Answer 4

OpenShift provides security context constraints(SCCs), a security mechanism that limits the access from a running pod in OpenShift to the host environment.
SCCs control the following host resources:

Running privileged containers
Requesting extra capabilities for a container
Using host directories as volumes
Changing the SELinux context of a container
Changing the user ID
OpenShift provides the following default SCCs (Most pods that OpenShift creates use the restricted SCC):

anyuid
hostaccess
hostmount-anyuid
hostnetwork
node-exporter
nonroot
privileged
restricted
SCC
oc get scc

oc describe scc anyuid
Name: anyuid
Priority: 10
Access:
Users: <none>
Groups: system:cluster-admins
Settings:
...output omitted</none>

oc describe pod console-5df4fcbb47-67c52 -n openshift-console | grep scc
openshift.io/scc: restricted
Review a pod securityContext requirements

Container images that are downloaded from public container registries, such as Docker Hub, might fail to run when using the restricted SCC.

A container image that requires running as a specific user ID can fail because the restricted SCC runs the container by using a random user ID.
A container image that listens on port 80/443 can fail for a related reason. The random user ID that the restricted SCC uses cannot start a service that listens on a privileged network port (port < 1024)
Use the scc-subject-review subcommand to list all the security context constraints that can overcome the limitations of a container: oc get pod podname -o yaml | oc adm policy scc-subject-review -f -

Apply a SCC

To change the container to run with a different SCC, you must create a service account that is bound to a pod.

Attach SCC
# example workload
oc new-app –name gitlab –image registry.ocp4.example.com:8443/redhattraining/gitlab-ce:8.4.3-ce.0
## the pod fails to run with error
## Chef::Exceptions::InsufficientPermissions: Cannot create directory[/etc/gitlab] at /etc/gitlab due to insufficient permissions

create the sa
## log back with an admin user
oc create sa gitlab-sa

associate a SCC to the sa
## oc adm policy add-scc-to-user <SCC> -z <service-account>
oc adm policy add-scc-to-user anyuid -z gitlab-sa</service-account></SCC>

update the deployment gitlab with the sa gitlab-sa
## can login back as normal user
## oc set serviceaccount deployment/<deployment-name> <service-account-name>
oc set serviceaccount deployment/gitlab gitlab-sa</service-account-name></deployment-name>

Question 5

5. Create and apply secrets to manage sensitive information

Answer 5

Secrets
oc create secret -h
oc get secret

# extract and update secret data
oc extract secret/htpasswd-secret –to /tmp/ –confirm
oc set data secret/htpasswd-secret –from-file htpasswd=/tmp/htpasswd

Question 6

6. Configure application access to Kubernetes APIs

Answer 6

To grant an application access to a Kubernetes API, take these actions:

Create an application service account.
Grant the service account access to the Kubernetes API.
Assign the service account to the application pods
App Access
# create sa
## creating a dedicated project
oc new-project configmap-reloader
oc create sa configmap-reloader

# creating a switching in new project
oc new-project appsec-api

# assign the “edit” cluster role to the “configmap-reload”(created in configmap-reloader) sa in current project appsec-api
oc adm policy add-role-to-user edit system:serviceaccount:configmap-reloader:configmap-reloader –rolebinding-name=reloader-edit
# system:serviceaccount:configmap-reloader: used to get the sa configmap-reloader from the project configmap-reloader

# add the sa in the deployment manifest
serviceAccountName: configmap-reload

Question 7

7. Configure Kubernetes CronJobs

Answer 7

You can use oc create cronjob to create the jobs or generate a manifest

Cronjob
oc create cronjob test \
–image=registry.access.redhat.com/ubi8/ubi:8.6 \
–schedule=’0 0 * * *’ \
– curl https://example.com \
–dry-run=client -o yaml

  apiVersion: batch/v1
  kind: CronJob
  metadata:
    creationTimestamp: null
    name: test
  spec:
    jobTemplate:
      metadata:
        creationTimestamp: null
        name: test
      spec:
        template:
          metadata:
            creationTimestamp: null
          spec:
            containers:
            - command:
              - curl
              - https://example.com
              image: registry.access.redhat.com/ubi8/ubi:8.6
              name: test
              resources: {}
            restartPolicy: OnFailure
    schedule: 0 0 * * *
  status: {}