TELCODOCS#2004: Day 2 Operations - Security Doc

_topic_maps/_topic_map.yml

@@ -3475,6 +3475,15 @@ Topics:
     Topics:
     - Name: Observability in OpenShift Container Platform
       File: telco-observability
+  - Name: Security
+    Dir: security
+    Topics:
+    - Name: Security basics
+      File: telco-security-basics
+    - Name: Host security
+      File: telco-security-host-sec
+    - Name: Security context constraints
+      File: telco-security-sec-context-constraints
 ---
 Name: Specialized hardware and driver enablement
 Dir: hardware_enablement

edge_computing/day_2_core_cnf_clusters/security/_attributes

@@ -0,0 +1 @@
+../../../_attributes/

edge_computing/day_2_core_cnf_clusters/security/images

@@ -0,0 +1 @@
+../../../images/

edge_computing/day_2_core_cnf_clusters/security/modules

@@ -0,0 +1 @@
+../../../modules/

edge_computing/day_2_core_cnf_clusters/security/snippets

@@ -0,0 +1 @@
+../../../snippets/

edge_computing/day_2_core_cnf_clusters/security/telco-security-basics.adoc

@@ -0,0 +1,56 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-security-basics"]
+= Security basics
+include::_attributes/common-attributes.adoc[]
+:context: telco-security-basics
+
+toc::[]
+
+Security is a critical component of telecommunications deployments on {product-title}, particularly when running containerized network functions (CNFs). This document provides an overview of security considerations for deploying {product-title} in telecommunications (telco) environments, with a focus on securing Containerized Network Functions (CNFs). It is aimed at organizations and users working with high-bandwidth network deployments.
+
+The document consolidates key information from existing resources and highlights the most current security practices. It serves as a reference for understanding security standards and best practices for telco use cases. 
+
+include::modules/telco-security-rbac-overview.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../authentication/using-rbac.adoc#authorization-overview_using-rbac[Using RBAC to define and apply permissions]
+
+include::modules/telco-security-sec-accounts-overview.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../authentication/understanding-and-creating-service-accounts.adoc[Understanding and creating service accounts]
+
+[role="_additional-resources"]
+.Additional resources
+
+include::modules/telco-security-identity-prov-config.adoc[leveloffset=+1]
+
+xref:../../../authentication/understanding-identity-provider.adoc[Understanding identity provider configuration]
+
+include::modules/telco-security-replacing-kubeadmin-user.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-htpasswd-about_configuring-htpasswd-identity-provider[About htpasswd authentication]
+
+include::modules/telco-security-sec-considerations-telco.adoc[leveloffset=+1]
+
+include::modules/telco-security-pod-sec-in-kub-and-ocp.adoc[leveloffset=+1]
+
+include::modules/telco-security-key-areas-for-cnf-deploy.adoc[leveloffset=+1]
+
+include::modules/telco-security-infra.adoc[leveloffset=+1]
+
+include::modules/telco-security-lifecycle-mgmnt.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+xref:../../../edge_computing/day_2_core_cnf_clusters/updating/telco-update-welcome.adoc[Upgrading a telco core CNF clusters]
+
+include::modules/telco-security-evolu-nf-to-cnf.adoc[leveloffset=+1]

edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc

@@ -0,0 +1,27 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-security-host-sec"]
+= Host security
+include::_attributes/common-attributes.adoc[]
+:context: telco-security-host-sec
+
+toc::[]
+
+include::modules/telco-security-rhcos-overview.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../architecture/architecture-rhcos.adoc#rhcos-about_architecture-rhcos[About RHCOS]
+
+* xref:../../../architecture/architecture-rhcos.adoc[Red Hat Enterprise Linux CoreOS (RHCOS)].
+
+* xref:../../../edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc#telco-security-linux-capabilities-overview[Linux capabilities].
+
+include::modules/telco-security-command-line-host-access.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../support/troubleshooting/investigating-pod-issues.adoc#starting-debug-pods-with-root-access_investigating-pod-issues[Starting debug pods with root access].
+
+include::modules/telco-security-linux-capabilities-overview.adoc[leveloffset=+1]

edge_computing/day_2_core_cnf_clusters/security/telco-security-sec-context-constraints.adoc

@@ -0,0 +1,96 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-security-sec-context-constraints"]
+= Security context constraints
+include::_attributes/common-attributes.adoc[]
+:context: telco-security-sec-context-constraints
+:imagesdir: images
+
+toc::[]
+
+Similar to the way that RBAC resources control user access, administrators can use security context constraints (SCCs) to control permissions for pods. These permissions determine the actions that a pod can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run w>
+
+Security context constraints allow an administrator to control:
+
+* Whether a pod can run privileged containers with the `allowPrivilegedContainer` flag
+* Whether a pod is constrained with the `allowPrivilegeEscalation` flag
+* The capabilities that a container can request
+* The use of host directories as volumes
+* The SELinux context of the container
+* The container user ID
+* The use of host namespaces and networking
+* The allocation of an `FSGroup` that owns the pod volumes
+* The configuration of allowable supplemental groups
+* Whether a container requires write access to its root file system
+* The usage of volume types
+* The configuration of allowable `seccomp` profiles
+
+Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator, you can also create your own SCCs by using the OpenShift CLI (`oc`).
+
+For information about default security context constraints, see xref:../../../authentication/managing-security-context-constraints.adoc#default-sccs_configuring-internal-oauth[Default security context constraints].
+
+[IMPORTANT]
+====
+Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or {product-title} is upgraded. Additionally, the default SCC values are reset to the defaults during some cluster upgrades, which discards all customizations to those SCCs.
+
+Instead of modifying the default SCCs, create and modify your own SCCs as needed. For detailed steps, see xref:../../../authentication/managing-security-context-constraints.adoc#security-context-constraints-creating_configuring-internal-oauth[Creating security context constraints].
+====
+
+You can use the following basic SCCs:
+
+* `restricted`
+* `restricted-v2`
+
+The `restricted-v2` SCC is the most restrictive SCC provided by a new installation and will be used by default for authenticated users. It aligns with Pod Security Admission (PSA) restrictions and improves security, as the original `restricted` SCC is less restrictive. It also helps transition from the original SCCs to v2 across multiple releases. Eventually, the original SCCs get deprecated. Therefore, it is recommended to use the `restricted-v2` SCC.
+
+You can examine the `restricted-v2` SCC by running the following command:
+[source,terminal]
+----
+$ oc describe scc restricted-v2
+----
+.Example output
+[source,terminal]
+----
+Name:                                           restricted-v2
+Priority:                                       <none>
+Access:
+  Users:                                        <none>
+  Groups:                                       <none>
+Settings:
+  Allow Privileged:                             false
+  Allow Privilege Escalation:                   false
+  Default Add Capabilities:                     <none>
+  Required Drop Capabilities:                   ALL
+  Allowed Capabilities:                         NET_BIND_SERVICE
+  Allowed Seccomp Profiles:                     runtime/default
+  Allowed Volume Types:                         configMap,downwardAPI,emptyDir,ephemeral,persistentVolumeClaim,projected,secret
+  Allowed Flexvolumes:                          <all>
+  Allowed Unsafe Sysctls:                       <none>
+  Forbidden Sysctls:                            <none>
+  Allow Host Network:                           false
+  Allow Host Ports:                             false
+  Allow Host PID:                               false
+  Allow Host IPC:                               false
+  Read Only Root Filesystem:                    false
+  Run As User Strategy: MustRunAsRange
+    UID:                                        <none>
+    UID Range Min:                              <none>
+    UID Range Max:                              <none>
+  SELinux Context Strategy: MustRunAs
+    User:                                       <none>
+    Role:                                       <none>
+    Type:                                       <none>
+    Level:                                      <none>
+  FSGroup Strategy: MustRunAs
+    Ranges:                                     <none>
+  Supplemental Groups Strategy: RunAsAny
+    Ranges:                                     <none>
+----
+
+The `restricted-v2` SCC explicitly denies everything except what it explicitly allows. The following settings define the allowed capabilities and security restrictions:
+
+* Default add capabilities: Set to `<none>`. It means that no capabilities are added to a pod by default.
+* Required drop capabilities: Set to `ALL`. This drops all the default Linux capabilities of a pod.
+* Allowed capabilities: `NET_BIND_SERVICE`. A pod can request this capability, but it is not added by default.
+* Allowed `seccomp` profiles: `runtime/default`. 
+
+For more information, see xref:../../../authentication/managing-security-context-constraints.adoc[Managing security context constraints].

modules/telco-security-command-line-host-access.adoc

@@ -0,0 +1,43 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/observability/telco-security-host-sec.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-command-line-host-access_{context}"]
+= Command-line host access
+
+Direct access to a host must be restricted to avoid modifying the host or accessing pods that should not be accessed. For users who need direct access to a host, it is recommended to use an external authenticator, like SSSD with LDAP, to manage access. This helps maintain consistency across the cluster through the Machine Config Operator.
+
+[IMPORTANT]
+====
+Do not configure direct access to the root ID on any {product-title} cluster server.
+====
+
+You can connect to a node in the cluster using the following methods:
+
+Using debug pod:: This is the recommended method to access a node. To debug a node, run the following command:
++
+[source,terminal]
+----
+$ oc debug node/worker0
+# chroot /host
+----
+This gives you root access within a debug pod on the node. For more information, see "Starting debug pods with root access".
+
+Direct SSH:: Avoid using root. Instead, use the core user ID (or your own ID). To connect to the node using SSH, run the following command:
++
+[source,terminal]
+----
+$ ssh core@worker0
+[core@ctrl-plane-0 ~]$ sudo -i
+[root@ctrl-plane-0 ~]#
+----
++
+[IMPORTANT]
+====
+The core user ID is initially given `sudo` privilege within the cluster.
+====
++
+If you cannot connect to a node using SSH, see link:https://access.redhat.com/solutions/4073041[How to connect to {product-title} 4.x Cluster nodes using SSH bastion pod] to add your SSH key to the core user.
+
+Console Access:: Ensure that consoles are secure. Do not allow direct login with the root ID, instead use individual IDs.

modules/telco-security-evolu-nf-to-cnf.adoc

@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/observability/telco-security-basics.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-evolution-of-nf-to-cnf_{context}"]
+= Evolution of Network Functions to CNFs
+
+Network Functions (NFs) began as Physical Network Functions (PNFs), which were purpose-built hardware devices operating independently. Over time, PNFs evolved into Virtual Network Functions (VNFs), which virtualized their capabilities while controlling resources like CPU, memory, storage, and network.
+
+As technology advanced further, VNFs transitioned to Containerized Network Functions (CNFs). CNFs run in lightweight, secure, and scalable containers. They enforce stringent restrictions, including non-root execution and minimal host interference, to enhance security and performance.
+
+PNFs had unrestricted root access to operate independently without interference. With the shift to VNFs, resource usage was controlled, but processes could still run as root within their virtual machines. In contrast, CNFs restrict root access and limit container capabilities to prevent interference with other containers or the host operating system.
+
+The main challenges in migrating to CNFs are as follows:
+
+* Breaking down monolithic network functions into smaller, containerized processes.
+* Adhering to cloud-native principles, such as non-root execution and isolation, while maintaining telco-grade performance and reliability.

modules/telco-security-identity-prov-config.adoc

@@ -0,0 +1,20 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/observability/telco-security-basics.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-identity-prov-config_{context}"]
+= Identity provider configuration
+
+Configuring an identity provider is the first step in setting up users on the cluster. You can manage groups at the organizational level by using an identity provider. 
+
+The identity provider can pull in specific user groups that are maintained at the organizational level, rather than the cluster level. This allows you to add and remove users from groups that follow your organization’s established practices.
+
+[NOTE]
+====
+You must set up a cron job to run frequently to pull any changes into the cluster.
+====
+
+By using an identity provider, you can manage the level of access for specific groups within your organization. Teams requiring cluster-level privileges can be assigned the `cluster-admin` role, while application administrators can be given specific privileges that allow them to manage only their respective projects. Additionally, operational teams can be granted `view` access across the cluster, allowing them to monitor without modifying anything.
+
+For information about configuring an identity provider, see "Understanding identity provider configuration".

modules/telco-security-infra.adoc

@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/observability/telco-security-basics.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-infra_{context}"]
+= Telco-specific infrastructure
+
+Hardware requirements:: In Telco networks, clusters are primarily built on bare-metal hardware. This means that the operating system (Red Hat CoreOS) is installed directly on the physical machines, without using virtual machines. This reduces network connectivity complexity, minimizes latency, and optimizes CPU usage for applications.
+
+Network requirements:: Telco networks require much higher bandwidth compared to standard IT networks. Telco networks commonly use dual-port 25 GB connections or 100 GB Network Interface Cards (NICs) to handle massive data throughput. Security is critical, requiring encrypted connections and secure endpoints to protect sensitive personal data.

modules/telco-security-key-areas-for-cnf-deploy.adoc

@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/observability/telco-security-basics.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-key-areas-for-cnf-deploy_{context}"]
+= Key areas for CNF deployment
+
+Following are the key areas for CNF deployment:
+
+Core:: The first deployments of CNFs occur in the core of the wireless network. This typically means racks of servers placed in central offices or data centers. These servers are connected to both the internet and the Radio Access Network (RAN), but they are often behind multiple security firewalls or sometimes disconnected from the internet altogether. This type of setup is called an offline or disconnected cluster.
+
+RAN:: After successful testing in the core network, CNFs are deployed in the Radio Access Network (RAN). Deploying CNFs in RAN requires a large number of servers (up to 100,000 in a large deployment). These servers are located near cellular towers and typically run as {sno} clusters, with the need for high scalability.

modules/telco-security-lifecycle-mgmnt.adoc

@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/observability/telco-security-basics.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-lifecycle-mgmnt_{context}"]
+= Lifecycle management
+
+Upgrades are critical for security. When a vulnerability is discovered, it is patched in the latest release (z-release). This fix is then rolled back through each lower Y-release until all supported versions are patched. Releases that are no longer supported do not receive patches. Therefore, it is important to upgrade OpenShift clusters regularly to stay within a supported release and ensure they remain protected against vulnerabilities.
+
+For more information about lifecycle management and upgrades, see "Upgrading a telco core CNF clusters".

modules/telco-security-linux-capabilities-overview.adoc

@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/observability/telco-security-host-sec.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-linux-capabilities-overview_{context}"]
+= Linux capabilities
+
+Linux capabilities define the actions a process can perform on the host system. By default, pods are granted several capabilities unless security measures are applied. These default capabilities are as follows:
+
+* `CHOWN`
+* `DAC_OVERRIDE`
+* `FSETID`
+* `FOWNER`
+* `SETGID`
+* `SETUID`
+* `SETPCAP`
+* `NET_BIND_SERVICE`
+* `KILL`
+
+You can modify which capabilities that a pod can receive by configuring Security Context Constraints (SCCs).
+
+You must not allow the following capabilities to a pod:
+
+* `SYS_ADMIN`: A powerful capability that grants elevated privileges. Allowing this capability can break security boundaries and pose a significant security risk.
+* `NET_ADMIN`: Allows control over networking, like SR-IOV ports, but can be replaced with alternative solutions in modern setups.
+
+For more information about Linux capabilities, see link:https://man7.org/linux/man-pages/man7/capabilities.7.html[Linux capabilities] man page.

modules/telco-security-pod-sec-in-kub-and-ocp.adoc

@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/observability/telco-security-basics.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-pod-sec-in-kub-and-ocp_{context}"]
+= Advancement of pod security in Kubernetes and {product-title}
+
+Kubernetes initially had limited pod security. When {product-title} integrated Kubernetes, Red Hat added pod security through Security Context Constraints (SCCs). In Kubernetes version 1.3, `PodSecurityPolicy` (PSP) was introduced as a similar feature. However, it was later determined that a better solution was needed, leading to Pod Security Admission (PSA) creation. PSA was introduced in Kubernetes version 1.21, which resulted in the deprecation of PSP in Kubernetes version 1.25.
+
+PSA also became available in {product-title} version 4.11. While PSA improves pod security, it lacks some features provided by SCCs that are still necessary for telco use cases. Therefore, {product-title} continues to support both PSA and SCCs.