onyxia
onyxia copied to clipboard
InseeFrLab
Support SCC in OpenShift
OpenShift has SecurityContextConstraints (SCC) that controls access to k8s objects. When Onyxia users launch any service, Onyxia creates k8s objects under specific namespace. If it is not allowed by SCC in OpenShift, objects won't be created and service will not be launched.
Creating a global security context constraints (SCC) with less-restricted policies for all users or namespaces reduces safety, this is not good for shared k8s clusters.
Solution
The solution is to organize a personalized role-based access to SCC for each users/projects namespaces. This is quite easy to maintain.
- On the Onyxia initialisation/installation step, create a global SCC and a global ClusterRole, like these:
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: onyxia
allowPrivilegedContainer: false
allowHostDirVolumePlugin: true
runAsUser:
type: RunAsAny
seLinuxContext:
type: RunAsAny
fsGroup:
type: RunAsAny
# I am just not sure about the policies in SCC. May be it is too much for the existing services, I didn't check them all.
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: onyxia-user
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- onyxia
resources:
- securitycontextconstraints
verbs:
- use
- On user onboarding at creating a namespace
user-myuserfor a user/project (here in onyxia-api), create a "personal" RoleBinding like this:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: onyxia-user
namespace: onyxia-user-sk074d7l
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: system:serviceaccounts:user-myuser
roleRef:
kind: ClusterRole
name: onyxia-user
apiGroup: rbac.authorization.k8s.io
Notes
Make sure it coherents to if onyxia is configured in "admin" mode. Because there are multiple modes of installation:
- using users account
- using a onyxia svc account
It will not do the same in this 2 cases.
