Pod security
Learn how to run the Strimzi Cluster Operator and Kafka cluster pods with a restricted profile.
Running the Strimzi Cluster Operator with a restricted profile
You run the Strimzi Cluster Operator with a restricted profile by configuring the podSecurityContext Helm property.
By default, the Strimzi Cluster Operator runs with the baseline profile. However, the
Helm templates allows customizing the security context of the Strimzi Cluster Operator
with the podSecurityContext
property. You run the Strimzi Cluster
Operator with a restricted profile by specifying appropriate privileges during
installation. For example, the helm install
command you run would be
similar to the following.
helm install csm-operator [***HELM CHART***] --namespace [***NAMESPACE***] \
--create-namespace \
--set watchAnyNamespace=true
--set securityContext.allowPrivilegeEscalation=false \
--set securityContext.capabilities.drop={ALL} \
--set securityContext.runAsNonRoot=true \
--set securityContext.seccompProfile.type=RuntimeDefault
Running Kafka clusters with restricted profile
You run your Kafka cluster with a restricted profile by either setting the security context manually in the Kafka resource with spec.*.template.pod.securityContext for each Kafka cluster component. Alternatively, you can use a pod security provider to set security context across all pods.
Setting the security context manually
The Kafka resource allows users to specify the security context at the pod
and container level with template
properties.
#...
kind: Kafka
spec:
kafka:
template:
pod:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
kafkaContainer:
securityContext:
# ...
cruiseControl:
template:
pod:
securityContext:
# ...
cruiseControlContainer:
# ...
Using security providers
Pod Security Providers allow you to manage the security context for all pods and containers managed by the Strimzi Cluster Operator from a single location. That is, a Security Provider defines the default security context of the pods and containers that the Strimzi Cluster Operator creates and manages. The following two providers are available.
- Baseline
- The Baseline Provider is based on the Kubernetes baseline security profile. This is a minimally restrictive profile that prevents privilege escalations and defines other standard access controls and limitations.
- Restricted
- The Restricted Provider is based on the Kubernetes restricted security profile. This is a highly restrictive profile that is aimed for use in environments where high levels of security is critical.
By default, the Strimzi Cluster Operator uses the Baseline Provider. To use the Restricted
Provider, set the STRIMZI_POD_SECURITY_PROVIDER_CLASS
environment variable of
the Strimzi Cluster Operator to restricted
. This is done during installation.
For example:
helm install csm-operator [***HELM CHART***] --namespace [***NAMESPACE***] \
--create-namespace \
--set extraEnvs[0].name=STRIMZI_POD_SECURITY_PROVIDER_CLASS \
--set extraEnvs[0].value=resticted