要在 OpenShift 上部署運行時安全性,您必須使用特權用戶(
system:cluster-admins Kubernetes 群組中的用戶)。在 ROSA 上,這通常是 cluster-admin 用戶。在 ARO 上,這通常是 kubeadmin 用戶。正常的 OpenShift 活動可能會觸發運行時安全規則並生成大量事件。為了防止生成這些事件,您可以通過在覆蓋文件中添加以下內容來排除某些命名空間:
cloudOne:
exclusion:
namespaces: [list, of, namespaces]
在 OpenShift 上,您可能想要排除以下命名空間:
cloudOne:
exclusion:
namespaces: [openshift, openshift-addon-operator, openshift-apiserver, openshift-apiserver-operator, openshift-aqua, openshift-authentication, openshift-authentication-operator,
openshift-azure-logging, openshift-azure-operator, openshift-backplane, openshift-backplane-cee, openshift-backplane-managed-scripts, openshift-backplane-srep, openshift-build-test,
openshift-cloud-controller-manager-operator, openshift-cloud-credential-operator, openshift-cloud-ingress-operator, openshift-cloud-network-config-controller, openshift-cluster-csi-drivers,
openshift-cluster-machine-approver, openshift-cluster-node-tuning-operator, openshift-cluster-samples-operator, openshift-cluster-storage-operator, openshift-cluster-version,
openshift-codeready-workspaces, openshift-config, openshift-config-managed, openshift-config-operator, openshift-console, openshift-console-operator, openshift-console-user-settings,
openshift-controller-manager, openshift-controller-manager-operator, openshift-custom-domains-operator, openshift-customer-monitoring, openshift-deployment-validation-operator, openshift-dns,
openshift-dns-operator, openshift-etcd, openshift-etcd-operator, openshift-host-network, openshift-image-registry, openshift-infra, openshift-ingress, openshift-ingress-canary,
openshift-ingress-operator, openshift-insights, openshift-kni-infra, openshift-kube-apiserver, openshift-kube-apiserver-operator, openshift-kube-controller-manager,
openshift-kube-controller-manager-operator, openshift-kube-scheduler, openshift-kube-scheduler-operator, openshift-kube-storage-version-migrator, openshift-kube-storage-version-migrator-operator,
openshift-kubevirt-infra, openshift-logging, openshift-machine-api, openshift-machine-config-operator, openshift-managed-node-metadata-operator, openshift-managed-upgrade-operator,
openshift-marketplace, openshift-monitoring, openshift-multus, openshift-must-gather-operator, openshift-network-diagnostics, openshift-network-operator, openshift-node,
openshift-oauth-apiserver, openshift-ocm-agent-operator, openshift-openstack-infra, openshift-operator-lifecycle-manager, openshift-operators, openshift-operators-redhat, openshift-osd-metrics,
openshift-ovirt-infra, openshift-ovn-kubernetes, openshift-rbac-permissions, openshift-route-monitor-operator, openshift-sdn, openshift-security, openshift-service-ca, openshift-service-ca-operator,
openshift-splunk-forwarder-operator, openshift-sre-pruning, openshift-sre-sshd, openshift-strimzi, openshift-user-workload-monitoring, openshift-validation-webhook,
openshift-velero, openshift-vsphere-infra]
預設情況下,OpenShift 會對基礎設施和主節點應用污點,這會導致運行時安全性 Pod 不會被分配到這些節點。如果您想將運行時安全性添加到這些節點,您可以在覆蓋文件中添加以下容忍:
tolerations:
scout:
- effect: NoSchedule
key: node-role.kubernetes.io/infra
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists