Merge pull request #86603 from sr1kar99/2004-telco-sec-doc

TELCODOCS#2004: Day 2 Operations - Security Doc

Author: mburke5678

_topic_maps/_topic_map.yml

@@ -3475,6 +3475,15 @@ Topics:
     Topics:
     - Name: Observability in OpenShift Container Platform
       File: telco-observability
+  - Name: Security
+    Dir: security
+    Topics:
+    - Name: Security basics
+      File: telco-security-basics
+    - Name: Host security
+      File: telco-security-host-sec
+    - Name: Security context constraints
+      File: telco-security-sec-context-constraints
 ---
 Name: Specialized hardware and driver enablement
 Dir: hardware_enablement

edge_computing/day_2_core_cnf_clusters/security/_attributes

@@ -0,0 +1 @@
+../../../_attributes/

edge_computing/day_2_core_cnf_clusters/security/images

@@ -0,0 +1 @@
+../../../images/

edge_computing/day_2_core_cnf_clusters/security/modules

@@ -0,0 +1 @@
+../../../modules/

edge_computing/day_2_core_cnf_clusters/security/snippets

@@ -0,0 +1 @@
+../../../snippets/

edge_computing/day_2_core_cnf_clusters/security/telco-security-basics.adoc

@@ -0,0 +1,56 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-security-basics"]
+= Security basics
+include::_attributes/common-attributes.adoc[]
+:context: telco-security-basics
+
+toc::[]
+
+Security is a critical component of telecommunications deployments on {product-title}, particularly when running cloud-native network functions (CNFs). 
+
+You can enhance security for high-bandwidth network deployments in telecommunications (telco) environments by following key security considerations. By implementing these standards and best practices, you can strengthen security in telco-specific use cases.
+
+include::modules/telco-security-rbac-overview.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../authentication/using-rbac.adoc#authorization-overview_using-rbac[Using RBAC to define and apply permissions]
+
+include::modules/telco-security-sec-accounts-overview.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../authentication/understanding-and-creating-service-accounts.adoc[Understanding and creating service accounts]
+
+include::modules/telco-security-identity-prov-config.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../authentication/understanding-identity-provider.adoc[Understanding identity provider configuration]
+
+include::modules/telco-security-replacing-kubeadmin-user.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#identity-provider-htpasswd-about_configuring-htpasswd-identity-provider[About htpasswd authentication]
+
+include::modules/telco-security-sec-considerations-telco.adoc[leveloffset=+1]
+
+include::modules/telco-security-pod-sec-in-kub-and-ocp.adoc[leveloffset=+1]
+
+include::modules/telco-security-key-areas-for-cnf-deploy.adoc[leveloffset=+1]
+
+include::modules/telco-security-infra.adoc[leveloffset=+1]
+
+include::modules/telco-security-lifecycle-mgmnt.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+xref:../../../edge_computing/day_2_core_cnf_clusters/updating/telco-update-welcome.adoc[Upgrading a telco core CNF clusters]
+
+include::modules/telco-security-evolu-nf-to-cnf.adoc[leveloffset=+1]

edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc

@@ -0,0 +1,27 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-security-host-sec"]
+= Host security
+include::_attributes/common-attributes.adoc[]
+:context: telco-security-host-sec
+
+toc::[]
+
+include::modules/telco-security-rhcos-overview.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../architecture/architecture-rhcos.adoc#rhcos-about_architecture-rhcos[About RHCOS]
+
+* xref:../../../architecture/architecture-rhcos.adoc[Red Hat Enterprise Linux CoreOS (RHCOS)].
+
+* xref:../../../edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc#telco-security-linux-capabilities-overview_telco-security-host-sec[Linux capabilities].
+
+include::modules/telco-security-command-line-host-access.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../../../support/troubleshooting/investigating-pod-issues.adoc#starting-debug-pods-with-root-access_investigating-pod-issues[Starting debug pods with root access].
+
+include::modules/telco-security-linux-capabilities-overview.adoc[leveloffset=+1]

edge_computing/day_2_core_cnf_clusters/security/telco-security-sec-context-constraints.adoc

@@ -0,0 +1,96 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="telco-security-sec-context-constraints"]
+= Security context constraints
+include::_attributes/common-attributes.adoc[]
+:context: telco-security-sec-context-constraints
+:imagesdir: images
+
+toc::[]
+
+Similar to the way that RBAC resources control user access, administrators can use security context constraints (SCCs) to control permissions for pods. These permissions determine the actions that a pod can perform and what resources it can access. You can use SCCs to define a set of conditions that a pod must run.
+
+Security context constraints allow an administrator to control the following security constraints:
+
+* Whether a pod can run privileged containers with the `allowPrivilegedContainer` flag
+* Whether a pod is constrained with the `allowPrivilegeEscalation` flag
+* The capabilities that a container can request
+* The use of host directories as volumes
+* The SELinux context of the container
+* The container user ID
+* The use of host namespaces and networking
+* The allocation of an `FSGroup` that owns the pod volumes
+* The configuration of allowable supplemental groups
+* Whether a container requires write access to its root file system
+* The usage of volume types
+* The configuration of allowable `seccomp` profiles
+
+Default SCCs are created during installation and when you install some Operators or other components. As a cluster administrator, you can also create your own SCCs by using the OpenShift CLI (`oc`).
+
+For information about default security context constraints, see xref:../../../authentication/managing-security-context-constraints.adoc#default-sccs_configuring-internal-oauth[Default security context constraints].
+
+[IMPORTANT]
+====
+Do not modify the default SCCs. Customizing the default SCCs can lead to issues when some of the platform pods deploy or {product-title} is upgraded. Additionally, the default SCC values are reset to the defaults during some cluster upgrades, which discards all customizations to those SCCs.
+
+Instead of modifying the default SCCs, create and modify your own SCCs as needed. For detailed steps, see xref:../../../authentication/managing-security-context-constraints.adoc#security-context-constraints-creating_configuring-internal-oauth[Creating security context constraints].
+====
+
+You can use the following basic SCCs:
+
+* `restricted`
+* `restricted-v2`
+
+The `restricted-v2` SCC is the most restrictive SCC provided by a new installation and is used by default for authenticated users. It aligns with Pod Security Admission (PSA) restrictions and improves security, as the original `restricted` SCC is less restrictive. It also helps transition from the original SCCs to v2 across multiple releases. Eventually, the original SCCs get deprecated. Therefore, it is recommended to use the `restricted-v2` SCC.
+
+You can examine the `restricted-v2` SCC by running the following command:
+[source,terminal]
+----
+$ oc describe scc restricted-v2
+----
+.Example output
+[source,terminal]
+----
+Name:                                           restricted-v2
+Priority:                                       <none>
+Access:
+  Users:                                        <none>
+  Groups:                                       <none>
+Settings:
+  Allow Privileged:                             false
+  Allow Privilege Escalation:                   false
+  Default Add Capabilities:                     <none>
+  Required Drop Capabilities:                   ALL
+  Allowed Capabilities:                         NET_BIND_SERVICE
+  Allowed Seccomp Profiles:                     runtime/default
+  Allowed Volume Types:                         configMap,downwardAPI,emptyDir,ephemeral,persistentVolumeClaim,projected,secret
+  Allowed Flexvolumes:                          <all>
+  Allowed Unsafe Sysctls:                       <none>
+  Forbidden Sysctls:                            <none>
+  Allow Host Network:                           false
+  Allow Host Ports:                             false
+  Allow Host PID:                               false
+  Allow Host IPC:                               false
+  Read Only Root Filesystem:                    false
+  Run As User Strategy: MustRunAsRange
+    UID:                                        <none>
+    UID Range Min:                              <none>
+    UID Range Max:                              <none>
+  SELinux Context Strategy: MustRunAs
+    User:                                       <none>
+    Role:                                       <none>
+    Type:                                       <none>
+    Level:                                      <none>
+  FSGroup Strategy: MustRunAs
+    Ranges:                                     <none>
+  Supplemental Groups Strategy: RunAsAny
+    Ranges:                                     <none>
+----
+
+The `restricted-v2` SCC explicitly denies everything except what it explicitly allows. The following settings define the allowed capabilities and security restrictions:
+
+* Default add capabilities: Set to `<none>`. It means that no capabilities are added to a pod by default.
+* Required drop capabilities: Set to `ALL`. This drops all the default Linux capabilities of a pod.
+* Allowed capabilities: `NET_BIND_SERVICE`. A pod can request this capability, but it is not added by default.
+* Allowed `seccomp` profiles: `runtime/default`. 
+
+For more information, see xref:../../../authentication/managing-security-context-constraints.adoc[Managing security context constraints].

modules/telco-security-command-line-host-access.adoc

@@ -0,0 +1,60 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-command-line-host-access_{context}"]
+= Command-line host access
+
+Direct access to a host must be restricted to avoid modifying the host or accessing pods that should not be accessed. For users who need direct access to a host, it is recommended to use an external authenticator, like SSSD with LDAP, to manage access. This helps maintain consistency across the cluster through the Machine Config Operator.
+
+[IMPORTANT]
+====
+Do not configure direct access to the root ID on any {product-title} cluster server.
+====
+
+You can connect to a node in the cluster using the following methods:
+
+Using debug pod:: This is the recommended method to access a node. To debug or connect to a node, run the following command:
++
+[source,terminal]
+----
+$ oc debug node/<worker_node_name>
+----
++
+After connecting to the node, run the following command to get access to the root file system:
++
+[source,terminal]
+----
+# chroot /host
+----
++
+This gives you root access within a debug pod on the node. For more information, see "Starting debug pods with root access".
+
+Direct SSH:: Avoid using the root user. Instead, use the core user ID (or your own ID). To connect to the node using SSH, run the following command:
++
+[source,terminal]
+----
+$ ssh core@<worker_node_name>
+----
++
+[IMPORTANT]
+====
+The core user ID is initially given `sudo` privileges within the cluster.
+====
++
+If you cannot connect to a node using SSH, see link:https://access.redhat.com/solutions/4073041[How to connect to {product-title} 4.x Cluster nodes using SSH bastion pod] to add your SSH key to the core user.
++
+After connecting to the node using SSH, run the following command to get access to the root shell:
++
+[source,terminal]
+----
+$ sudo -i
+----
+
+Console Access:: Ensure that consoles are secure. Do not allow direct login with the root ID, instead use individual IDs.
++
+[NOTE]
+====
+Follow the best practices of your organization for securing console access.
+====

modules/telco-security-evolu-nf-to-cnf.adoc

@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// * edge_computing/day_2_core_cnf_clusters/security/telco-security-basics.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="telco-security-evolution-of-nf-to-cnf_{context}"]
+= Evolution of Network Functions to CNFs
+
+Network Functions (NFs) began as Physical Network Functions (PNFs), which were purpose-built hardware devices operating independently. Over time, PNFs evolved into Virtual Network Functions (VNFs), which virtualized their capabilities while controlling resources like CPU, memory, storage, and network.
+
+As technology advanced further, VNFs transitioned to cloud-native network functions (CNFs). CNFs run in lightweight, secure, and scalable containers. They enforce stringent restrictions, including non-root execution and minimal host interference, to enhance security and performance.
+
+PNFs had unrestricted root access to operate independently without interference. With the shift to VNFs, resource usage was controlled, but processes could still run as root within their virtual machines. In contrast, CNFs restrict root access and limit container capabilities to prevent interference with other containers or the host operating system.
+
+The main challenges in migrating to CNFs are as follows:
+
+* Breaking down monolithic network functions into smaller, containerized processes.
+* Adhering to cloud-native principles, such as non-root execution and isolation, while maintaining telco-grade performance and reliability.