Modifying IBM Cloud Private security policy

If you plan to use embedded Elasticsearch and Kibana (rather than an external Elasticsearch installation), and only in this case, you must ensure that the target namespace for IBM® Business Automation Insights deployment is bound to a pod security policy that supports running privileged containers.

About this task

By default, a Kubernetes service account does not have the permissions to deploy to the target namespace any pods that require privileged containers. To enable such deployment, you must modify the default behavior. To do so, you create the appropriate PodSecurityPolicy, ClusterRole, and ClusterRoleBinding Kubernetes resources by using kubectl commands.
Note: If you have upgraded your IBM Business Automation Insights installation from version 18.0.0, you do not have to follow this procedure to modify the ICP security policy. However, if you choose to do it, first roll back the changes that you made through the kubectl edit clusterrolebindings privileged-psp-users command when you installed IBM Business Automation Insights 18.0.

Procedure

  1. To log in to your IBM Cloud Private 3.1 environment, run the cloudctl login command to make sure that Kubernetes are properly configured.
  2. Create a psp.yaml file with the following content.
    1. Replace <namespace> with the namespace where you plan to deploy IBM Business Automation Insights.
    2. Optional: To deploy IBM Business Automation Insights to multiple namespaces, specify all the namespaces in the subjects section of the ClusterRoleBinding block.
    apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: bai-psp
spec:
  privileged: true
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
  name: bai-clusterrole
rules:
- apiGroups:
  - extensions
  resourceNames:
  - bai-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: bai-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bai-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts:<NAMESPACE_A>
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: system:serviceaccounts:<NAMESPACE_B>
  3. Run the apply command. 
    kubectl apply -f psp.yaml

Results

Kubernetes enables running privileged containers in the namespaces that are referenced in the subjects section of the ClusterRoleBinding block.
Parent topic: Preparing to install IBM Business Automation Insights