Override default Mission Control security settings for Helm installations
To enforce the principle of least privilege, you can configure Mission Control platform and database components to override their default permission settings.
You can specify the Pod Security Context and Container Security Context across many of the Mission Control components.
Prerequisites
Before you begin, ensure that you are using Helm to install Mission Control or have an existing Helm installation. For more information, see Install and configure Mission Control using Helm.
KOTS installations do not support security overrides. |
Override platform security settings
Override platform security settings for your environment by setting the podSecurityContext
and securityContext
parameters using Helm.
dex:
podSecurityContext:
runAsNonRoot: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
agent:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
fsGroup: 1001
runAsUser: 1001
runAsNonRoot: true
aggregator:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
fsGroup: 1001
runAsUser: 1001
runAsNonRoot: true
loki:
sidecar:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
loki:
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
podSecurityContext:
runAsNonRoot: true
k8ssandra-operator:
podSecurityContext:
runAsNonRoot: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
cass-operator:
podSecurityContext:
runAsNonRoot: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
Apply the overrides:
helm upgrade mission-control oci://registry.replicated.com/mission-control/mission-control --namespace mission-control --create-namespace -f PLATFORM_SECURITY_OVERRIDES.yaml
Replace PLATFORM_SECURITY_OVERRIDES.yaml
with the name of the file that contains the security overrides.
Deploy a MissionControlCluster
with security overrides
Override security settings for the MissionControlCluster
custom resource by setting the containerSecurityContext
and podSecurityContext
parameters using kubectl
.
apiVersion:
kind: MissionControlCluster
metadata:
name: MISSION_CONTROL_CLUSTER_NAME
namespace: NAMESPACE
spec:
k8ssandra:
cassandra:
initContainers:
# Cassandra v...
- name: cass-config-builder
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
# DSE v...
- name: ...
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
# HCD v...
- name: ...
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
# Medusa
- name: ...
containers:
- name: cassandra
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
- name: server-system-logger
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
podSecurityContext:
fsGroup: 999
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
cqlsh:
spec:
initContainers: []
containers:
- name: ...
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
securityContext:
fsGroup: 999
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
Replace the following:
-
MISSION_CONTROL_CLUSTER_NAME
: The name of theMissionControlCluster
custom resource -
NAMESPACE
: The namespace where theMissionControlCluster
custom resource is deployed
Deploy the MissionControlCluster
with overrides:
kubectl apply -f MISSION_CONTROL_CLUSTER.yaml
Replace MISSION_CONTROL_CLUSTER.yaml
with the name of the file that contains the settings for your MissionControlCluster
.
Override settings for the CqlConnectivity
API custom resource
Override settings for the CqlConnectivity
custom resource by setting the containerSecurityContext
and podSecurityContext
parameters using kubectl
.
apiVersion: missioncontrol.datastax.com/v1alpha1
kind: CqlConnectivity
metadata:
name: **CQL_CONNECTIVITY_NAME**
spec:
cassandraDatacenterRef:
name: **DATACENTER_NAME**
loadBalancers:
nativePort: 9042
serviceConfig: {}
size: 2
podConfig:
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
podSecurityContext:
fsGroup: 999
runAsGroup: 999
runAsNonRoot: true
runAsUser: 999
Replace the following:
-
CQL_CONNECTIVITY_NAME
: The name of theCqlConnectivity
custom resource -
DATACENTER_NAME
: The name of the datacenter
Create the CqlConnectivity
custom resource with overrides:
kubectl apply -f CQL_CONNECTIVITY.yaml
Replace CQL_CONNECTIVITY.yaml
with the name of the manifest file that contains the security overrides.
Override settings for the Data API
Override security settings for the Data API custom resource by setting the containerSecurityContext
and podSecurityContext
parameters using kubectl
.
apiVersion: missioncontrol.datastax.com/v1alpha1
kind: DataApi
metadata:
name: DATA_API_NAME
namespace: NAMESPACE
spec:
cassandraDatacenterRef:
name: DATACENTER_NAME
replicas: 1
services:
nodePort:
port: NODE_PORT
clusterIP:
port: CLUSTER_IP_PORT
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
podSecurityContext:
runAsNonRoot: true
Replace the following:
-
DATA_API_NAME
: The name of the Data API custom resource -
NAMESPACE
: The namespace where the Data API custom resource is deployed -
DATACENTER_NAME
: The name of the datacenter -
NODE_PORT
: The port number for thenodePort
service -
CLUSTER_IP_PORT
: The port number for theclusterIP
service
Create or update the Data API
custom resource with overrides:
kubectl apply -f DATA_API.yaml
Replace DATA_API.yaml
with the name of the manifest file that contains the settings for your Data API
custom resource.