ビュー:
ランタイムセキュリティをOpenShiftに配信するには、特権ユーザ (system:cluster-adminsKubernetesグループ)。 ROSAでは、通常、これはcluster-adminユーザです。 AROでは、通常、これはkubeadminユーザです。
通常のOpenShiftアクティビティでは、ランタイムセキュリティルールがトリガーされ、多数のイベントが生成される可能性があります。これらのイベントが生成されないようにするには、次のコードをオーバーライドファイルに追加して、一部の名前空間を除外します。
cloudOne: exclusion: namespaces: [list, of, namespaces]
OpenShiftでは、次の名前空間を除外できます。
cloudOne: exclusion: namespaces: [openshift, openshift-addon-operator, openshift-apiserver, openshift-apiserver-operator, openshift-aqua, openshift-authentication, openshift-authentication-operator, openshift-azure-logging, openshift-azure-operator, openshift-backplane, openshift-backplane-cee, openshift-backplane-managed-scripts, openshift-backplane-srep, openshift-build-test, openshift-cloud-controller-manager-operator, openshift-cloud-credential-operator, openshift-cloud-ingress-operator, openshift-cloud-network-config-controller, openshift-cluster-csi-drivers, openshift-cluster-machine-approver, openshift-cluster-node-tuning-operator, openshift-cluster-samples-operator, openshift-cluster-storage-operator, openshift-cluster-version, openshift-codeready-workspaces, openshift-config, openshift-config-managed, openshift-config-operator, openshift-console, openshift-console-operator, openshift-console-user-settings, openshift-controller-manager, openshift-controller-manager-operator, openshift-custom-domains-operator, openshift-customer-monitoring, openshift-deployment-validation-operator, openshift-dns, openshift-dns-operator, openshift-etcd, openshift-etcd-operator, openshift-host-network, openshift-image-registry, openshift-infra, openshift-ingress, openshift-ingress-canary, openshift-ingress-operator, openshift-insights, openshift-kni-infra, openshift-kube-apiserver, openshift-kube-apiserver-operator, openshift-kube-controller-manager, openshift-kube-controller-manager-operator, openshift-kube-scheduler, openshift-kube-scheduler-operator, openshift-kube-storage-version-migrator, openshift-kube-storage-version-migrator-operator, openshift-kubevirt-infra, openshift-logging, openshift-machine-api, openshift-machine-config-operator, openshift-managed-node-metadata-operator, openshift-managed-upgrade-operator, openshift-marketplace, openshift-monitoring, openshift-multus, openshift-must-gather-operator, openshift-network-diagnostics, openshift-network-operator, openshift-node, openshift-oauth-apiserver, openshift-ocm-agent-operator, openshift-openstack-infra, openshift-operator-lifecycle-manager, openshift-operators, openshift-operators-redhat, openshift-osd-metrics, openshift-ovirt-infra, openshift-ovn-kubernetes, openshift-rbac-permissions, openshift-route-monitor-operator, openshift-sdn, openshift-security, openshift-service-ca, openshift-service-ca-operator, openshift-splunk-forwarder-operator, openshift-sre-pruning, openshift-sre-sshd, openshift-strimzi, openshift-user-workload-monitoring, openshift-validation-webhook, openshift-velero, openshift-vsphere-infra]
初期設定では、OpenShiftはテイントをインフラストラクチャノードとマスターノードに適用するため、ランタイムセキュリティポッドはこれらのノードに割り当てられません。これらのノードにランタイムセキュリティを追加する場合は、次の容認をオーバーライドファイルに追加します。
tolerations: scout: - effect: NoSchedule key: node-role.kubernetes.io/infra operator: Exists - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists