From 1815dd203d0008758e1d7ad3e806c03fe6cd2ef4 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 7 Dec 2023 13:46:46 -0500 Subject: [PATCH 1/4] add OCP SCC info #7090 --- modules/ROOT/pages/instanton.adoc | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/modules/ROOT/pages/instanton.adoc b/modules/ROOT/pages/instanton.adoc index f6c40069a4..9dde35068d 100644 --- a/modules/ROOT/pages/instanton.adoc +++ b/modules/ROOT/pages/instanton.adoc @@ -338,6 +338,36 @@ When you deploy to Kubernetes, the container must be granted the `CHECKPOINT_RES - ALL ---- +==== Red Hat OpenShift security context constraints + +To deploy applications to Red Hat OpenShift with InstantOn, you must specify a security context constraint (SCC) that at a minimum grants the capabilities to the defaults that are needed for InstantOn. The following example defines an SCC with these capabilities that is called `defaultAddCapabilities`: + +[source,yaml] +---- +defaultAddCapabilities: +- CHECKPOINT_RESTORE +- SETPCAP +---- + +The applications you deploy must be associated with this SCC, for example, by specifying the `serviceAccountName` setting in the deployment yaml file. The following example specifies the `defaultAddCapabilities` SCC that was defined in the previous example: + +[source,yaml] +---- + serviceAccountName: defaultAddCapabilities + securityContext: + allowPrivilegeEscalation: true + privileged: false + runAsNonRoot: true + capabilities: + add: + - CHECKPOINT_RESTORE + - SETPCAP + drop: + - ALL +---- + +For more information, see the Red Hat documentation for link:https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html[Managing security context constraints]. + [#supported-features] == Open Liberty InstantOn supported features From e76115c9972f2507da4f7644c5ad6ec2165ed8e2 Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 7 Dec 2023 15:04:58 -0500 Subject: [PATCH 2/4] edits per review #7090 --- modules/ROOT/pages/instanton.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/ROOT/pages/instanton.adoc b/modules/ROOT/pages/instanton.adoc index 9dde35068d..de0a0ce02f 100644 --- a/modules/ROOT/pages/instanton.adoc +++ b/modules/ROOT/pages/instanton.adoc @@ -340,7 +340,7 @@ When you deploy to Kubernetes, the container must be granted the `CHECKPOINT_RES ==== Red Hat OpenShift security context constraints -To deploy applications to Red Hat OpenShift with InstantOn, you must specify a security context constraint (SCC) that at a minimum grants the capabilities to the defaults that are needed for InstantOn. The following example defines an SCC with these capabilities that is called `defaultAddCapabilities`: +To deploy applications to Red Hat OpenShift with InstantOn, you must specify a security context constraint (SCC) that at a minimum specifies a list of additional capabilities that are added to any pod. The following SSC yaml file example defines an SCC with the required capabilities by using the `defaultAddCapabilities` parameter : [source,yaml] ---- @@ -349,11 +349,11 @@ defaultAddCapabilities: - SETPCAP ---- -The applications you deploy must be associated with this SCC, for example, by specifying the `serviceAccountName` setting in the deployment yaml file. The following example specifies the `defaultAddCapabilities` SCC that was defined in the previous example: +The applications you deploy must be associated with an SCC that adds the required capabilities. For example, you might deploy an SCC called `liberty-instanton-scc` that adds the required capabilities. The following example specifies the `serviceAccountName` parameter to set the SCC name to `liberty-instanton-scc`: [source,yaml] ---- - serviceAccountName: defaultAddCapabilities + serviceAccountName: liberty-instanton-scc securityContext: allowPrivilegeEscalation: true privileged: false From 44a9f6a1f29937a8ec72bb2a2e5decf86f0d68da Mon Sep 17 00:00:00 2001 From: David Mueller Date: Thu, 7 Dec 2023 16:08:52 -0500 Subject: [PATCH 3/4] Update instanton.adoc --- modules/ROOT/pages/instanton.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ROOT/pages/instanton.adoc b/modules/ROOT/pages/instanton.adoc index de0a0ce02f..96aeafab73 100644 --- a/modules/ROOT/pages/instanton.adoc +++ b/modules/ROOT/pages/instanton.adoc @@ -349,7 +349,7 @@ defaultAddCapabilities: - SETPCAP ---- -The applications you deploy must be associated with an SCC that adds the required capabilities. For example, you might deploy an SCC called `liberty-instanton-scc` that adds the required capabilities. The following example specifies the `serviceAccountName` parameter to set the SCC name to `liberty-instanton-scc`: +The applications you deploy must be associated with an SCC that adds the required capabilities. For example, you might deploy an SCC called `liberty-instanton-scc` that adds the required capabilities. The following deployment yaml file example specifies the `serviceAccountName` parameter to set the SCC name to `liberty-instanton-scc`: [source,yaml] ---- From baa71b5e2eab867c11ef42e1494b316a2e161e8d Mon Sep 17 00:00:00 2001 From: David Mueller Date: Fri, 8 Dec 2023 11:52:20 -0500 Subject: [PATCH 4/4] edits per peer review #7090 --- modules/ROOT/pages/instanton.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/ROOT/pages/instanton.adoc b/modules/ROOT/pages/instanton.adoc index 96aeafab73..75a665d2da 100644 --- a/modules/ROOT/pages/instanton.adoc +++ b/modules/ROOT/pages/instanton.adoc @@ -318,7 +318,7 @@ Currently, Open Liberty InstantOn is tested and supported on the following publi - link:https://aws.amazon.com/eks/[Amazon Elastic Kubernetes Service (EKS)] - link:https://azure.microsoft.com/en-us/products/kubernetes-service[Azure Kubernetes Service (AKS)] -- link:https://www.redhat.com/en/technologies/cloud-computing/openshift[Red Hat OpenShift] (version 4.14 and later) +- link:https://www.redhat.com/en/technologies/cloud-computing/openshift[Red Hat OpenShift (version 4.14 and later)] Other public cloud Kubernetes services might also work if they have the <<#required-to-restore,prerequisites>> to allow the InstantOn application process to restore. @@ -340,7 +340,7 @@ When you deploy to Kubernetes, the container must be granted the `CHECKPOINT_RES ==== Red Hat OpenShift security context constraints -To deploy applications to Red Hat OpenShift with InstantOn, you must specify a security context constraint (SCC) that at a minimum specifies a list of additional capabilities that are added to any pod. The following SSC yaml file example defines an SCC with the required capabilities by using the `defaultAddCapabilities` parameter : +To deploy applications to Red Hat OpenShift with InstantOn, you must specify a security context constraint (SCC) that, at a minimum, specifies a list of additional capabilities that are added to any pod. The following SSC yaml file example defines an SCC with the required capabilities by using the `defaultAddCapabilities` parameter: [source,yaml] ---- @@ -349,7 +349,7 @@ defaultAddCapabilities: - SETPCAP ---- -The applications you deploy must be associated with an SCC that adds the required capabilities. For example, you might deploy an SCC called `liberty-instanton-scc` that adds the required capabilities. The following deployment yaml file example specifies the `serviceAccountName` parameter to set the SCC name to `liberty-instanton-scc`: +The applications you deploy must be associated with an SCC that adds the required capabilities. For example, you might deploy an SCC called `liberty-instanton-scc` that adds the required capabilities. In the following example, the deployment yaml file specifies the `serviceAccountName` parameter to set the SCC name to `liberty-instanton-scc`: [source,yaml] ----