Pod security

Learn how to run the Strimzi Cluster Operator and Kafka cluster pods with a restricted profile.

Running the Strimzi Cluster Operator with a restricted profile

You run the Strimzi Cluster Operator with a restricted profile by configuring the podSecurityContext Helm property.

By default, the Strimzi Cluster Operator runs with the baseline profile. However, the Helm templates allows customizing the security context of the Strimzi Cluster Operator with the podSecurityContext property. You run the Strimzi Cluster Operator with a restricted profile by specifying appropriate privileges during installation. For example, the helm install command you run would be similar to the following.

helm install csm-operator [***HELM CHART***] --namespace [***NAMESPACE***] \
  --create-namespace \
  --set watchAnyNamespace=true
  --set securityContext.allowPrivilegeEscalation=false \
  --set securityContext.capabilities.drop={ALL} \
  --set securityContext.runAsNonRoot=true \
  --set securityContext.seccompProfile.type=RuntimeDefault

Running Kafka clusters with restricted profile

You run your Kafka cluster with a restricted profile by either setting the security context manually in the Kafka resource with spec.*.template.pod.securityContext for each Kafka cluster component. Alternatively, you can use a pod security provider to set security context across all pods.

Setting the security context manually

The Kafka resource allows users to specify the security context at the pod and container level with template properties.

#...
kind: Kafka
spec:
  kafka:
    template:
      pod:
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - ALL
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
      kafkaContainer:
        securityContext:
          # ...
  cruiseControl:
    template:
      pod:
        securityContext:
          # ...
      cruiseControlContainer:
        # ...

Using security providers

Pod Security Providers allow you to manage the security context for all pods and containers managed by the Strimzi Cluster Operator from a single location. That is, a Security Provider defines the default security context of the pods and containers that the Strimzi Cluster Operator creates and manages. The following two providers are available.

Baseline
The Baseline Provider is based on the Kubernetes baseline security profile. This is a minimally restrictive profile that prevents privilege escalations and defines other standard access controls and limitations.
Restricted
The Restricted Provider is based on the Kubernetes restricted security profile. This is a highly restrictive profile that is aimed for use in environments where high levels of security is critical.

By default, the Strimzi Cluster Operator uses the Baseline Provider. To use the Restricted Provider, set the STRIMZI_POD_SECURITY_PROVIDER_CLASS environment variable of the Strimzi Cluster Operator to restricted. This is done during installation. For example:

helm install csm-operator [***HELM CHART***] --namespace [***NAMESPACE***] \
  --create-namespace \
  --set extraEnvs[0].name=STRIMZI_POD_SECURITY_PROVIDER_CLASS \
  --set extraEnvs[0].value=resticted