Skip to content

Commit 7aed980

Browse files
lahinsonlahinson
committed
[OSDOCS-13450]: Isolation details for HCP
1 parent 262ae25 commit 7aed980

File tree

2 files changed

+42
-0
lines changed

2 files changed

+42
-0
lines changed

Diff for: hosted_control_planes/hcp-prepare/hcp-distribute-workloads.adoc

+1
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,4 @@ Do not use the management cluster for your workload. Workloads must not run on n
2424
include::modules/hcp-labels-taints.adoc[leveloffset=+1]
2525
include::modules/hcp-priority-classes.adoc[leveloffset=+1]
2626
include::modules/hcp-virt-taints-tolerations.adoc[leveloffset=+1]
27+
include::modules/hcp-isolation.adoc[leveloffset=+1]

Diff for: modules/hcp-isolation.adoc

+41
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * hosted_control_planes/hcp-prepare/hcp-distribute-workloads.adoc
4+
5+
:_mod-docs-content-type: CONCEPT
6+
[id="hcp-isolation_{context}"]
7+
= Control plane isolation
8+
9+
You can configure {hcp} to isolate network traffic or control plane pods.
10+
11+
== Network policy isolation
12+
13+
Each hosted control plane is assigned to run in a dedicated Kubernetes namespace. By default, the Kubernetes namespace denies all network traffic.
14+
15+
The following network traffic is allowed through the network policy that is enforced by the Kubernetes Container Network Interface (CNI):
16+
17+
* Ingress pod-to-pod communication in the same namespace (intra-tenant)
18+
* Ingress on port 6443 to the hosted kube-apiserver pod for the tenant
19+
* Metric scraping from the management cluster Kubernetes namespace with the `network.openshift.io/policy-group: monitoring` label is allowed for monitoring
20+
21+
== Control plane pod isolation
22+
23+
In addition to network policies, each hosted control plane pod is run with the `restricted` security context constraint. This policy denies access to all host features and requires pods to be run with a UID, and SELinux context that is allocated uniquely to each namespace hosting a customer control plane.
24+
25+
The policy ensures the following constraints:
26+
* Pods cannot run as privileged.
27+
* Pods cannot mount host directory volumes.
28+
* Pods must run as a user in a pre-allocated range of UIDs.
29+
* Pods must run with a pre-allocated MCS label.
30+
* Pods cannot access the host network namespace.
31+
* Pods cannot expose host network ports.
32+
* Pods cannot access the host PID namespace.
33+
* By default, pods drop the following Linux capabilities: `KILL`, `MKNOD`, `SETUID`, and `SETGID`.
34+
35+
The management components, such as `kubelet` and `crio`, on each management cluster worker node are protected by an SELinux label that is not accessible to the SELinux context for pods that support {hcp}.
36+
37+
The following SELinux labels are used for key processes and sockets:
38+
* *kubelet*: `system_u:system_r:unconfined_service_t:s0`
39+
* *crio*: `system_u:system_r:container_runtime_t:s0`
40+
* *crio.sock*: `system_u:object_r:container_var_run_t:s0`
41+
* *<example user container processes>*: `system_u:system_r:container_t:s0:c14,c24`

0 commit comments

Comments
 (0)