A Kubernetes operator is a way to package, deploy, and manage a Kubernetes application. A Kubernetes application is deployed on Kubernetes and managed using the Kubernetes API. Operators automate the management of applications or service life cycles on behalf of a human operator, allowing for automation at every level of the stack—from managing the platform’s components to managed services.
For faster installation and more frequent, robust upgrades, engineering teams may use the power of Operators, which provide autonomous administration by exposing settings directly through Kubernetes objects. In addition to the platform management automation benefits for Operators, Red Hat OpenShift makes it easy to identify, deploy, and manage Operators operating on clusters.
OpenShift is an enterprise Kubernetes platform for managing hybrid cloud installations that include full-stack automated operations.
The integrated OperatorHub, a register of operators from various software companies and open source projects, is included in Red Hat OpenShift. The OperatorHub allows you to browse and install a library of operators that have been confirmed to operate with Red Hat OpenShift and packaged for simpler lifecycle management.
Depending on the objective, OpenShift provides two distinct mechanisms for managing operators:
Furthermore, appropriately privileged individuals can manage operators using other ways, such as YAML files or helm charts.
Operators are being used by more engineering teams to deploy in production settings. While the full potential of Operators has yet to be realized, it is critical not to lose sight of the benefits of incorporating more secure code and procedures as early in the development process as feasible.
There are two types of classification for Operators:
In general, you should restrict access as much as feasible while still enabling your Operator to work, according to the Principle of Least Privilege (PoLP). Permissions can be provided by constructing role bindings and cluster role bindings that connect the Operator’s service account to the necessary roles and cluster roles. This is possible using the Operator Lifecycle Manager (OLM) bundle deployment architecture.
An Operator bundle, in addition to the Operator image itself, is an OLM-specified format for storing metadata about an Operator. The metadata contains everything Kubernetes needs to know to utilize the Operator — its custom resource definitions (CRDs), needed role-based access control (RBAC) roles and bindings, dependency tree, and other information, as described in Deploying Operators with OLM bundles.
OLM has the advantage of managing the rights required to install and execute the Operator. OLM installs using the cluster-admin role and isolates the install time needs, such as the APIService and CustomResourceDefinition resources, which are always produced by OLM using the cluster-admin role, lowering the overall rights surface.
Cluster administrators can define a service account for an Operator group using OLM, ensuring that any Operators connected with the group are deployed and operate with the rights allowed to the service account. A service account belonging to an Operator group should never be given the ability to write these resources. Any Operator who is a member of this Operator group is now limited to the rights provided to the specified service account. If the Operator requests rights that are not within the scope of the service account, the installation will fail with the appropriate errors.
It is necessary to justify the employment of cluster-scoped Operators. If not essential, run namespaced-scoped Operators with the bare minimum of permissions.
Cluster-scoped Operators require access to resources throughout the cluster, including the control plane, via permissions gained through cluster roles and cluster role bindings.
Namespace-scoped Operators require access to just resources in a single namespace, which may be acquired through the use of roles and role bindings. A namespace-scoped operator must construct a CustomResourceDefinition (CRD), which is a cluster-scoped resource, as an exception.
If there are static cluster-scoped resources whose definition will not change based on the Operator inputs, you can shift their creation to the Operator Lifecycle Manager (OLM) catalog. For example, because CRD generation does not change over the Operator’s lifespan, you may migrate it to OLM.
The Kubernetes and OpenShift systems both provide authorization via role-based access control (RBAC). The security context is a crucial component of Kubernetes pod and container specifications. This is distinct from the OpenShift security feature known as security context limitation (SCC).
Kubernetes Operators additionally establish the Operator’s permissions, which are often defined in a YAML description called role.yaml. Because roles are issued at the namespace level, any escalation of power is intrinsically constrained by the namespace. ClusterRole, on the other hand, should be scrutinized more closely because it applies to the whole cluster.
One method privilege that might be raised is if a non-privileged user (with the system: authenticated role) gains access to the operator’s service account token. A common method for mitigating this risk is to deploy the Operator in a separate namespace from its Operands, where the non-privileged user does not have access to read secrets, or if deployed in a namespace shared with non-privileged users, those users should not have access to read secrets in that namespace. Operators should never be installed in a common namespace, especially one that enables non-privileged users access.
We propose that code evaluations include a search for RBAC roles that can be used to get additional rights.
resources: - roles - rolebindings verbs: - patch - create
Allows the operator to possibly grant unprivileged users access to privileged namespaces by ‘granting’ them the roles when asked. (Note: By default, Operators can only grant rights to others that they have.)
Instead of utilizing the wildcard character as seen in the figure below, it is best to specifically list each verb or resource. Each item in the list may then be checked more readily to ensure where and how the permissions are required, or if they were taken inadvertently as a convenience during previous work.
In the verbs section, for example, instead of using “*,” you may list them out in full, such as: get, list, and watch. If the operator knows the name of the resource to be edited, it may be restricted to merely get/edit and seldom needs a “list.”
Being specific with lists will help protect the rights in the future if the “*” changes to match additional items that are not now present.
The following diagram depicts the links between cluster roles, roles, cluster role bindings, role bindings, user, group, and service accounts.
Because operators are operated using a service account in a namespace, anybody with the capacity to generate workloads in that namespace can escalate to the operator’s permissions. To address these problems, the OperatorGroup object introduced the concept of scoping operators. An OperatorGroup specifies a collection of namespaces inside a cluster in which all deployed operators have the same scope. To avoid collisions, the Operator Lifecycle Manager (OLM) guarantees that only one operator inside a namespace owns a certain CRD.
The issue is that cluster-scoped APIs exist in a cluster. They are discoverable by any user who desires to see them. Even Operators who agree on a specific Group, Version, Kind (GVK) may disagree on how those objects should be accepted to a cluster or how conversion between API versions should take place. This raises the possibility that the cluster has more than one “opinion” regarding an API.
When attempting to containerize third-party programs, it may be essential to bend to their expectations and run as specified UIDs, maybe even as root. For container-native operators, you should never set UID expectations and instead accept the standard “billion+” high UID that the OpenShift cluster allocates to the namespace your operator runs in.
Similarly, using hostPath volumes allows the container to access files on the host node. If a container is not set up properly and becomes hacked, the attacker may attempt to attack the host and other containers operating on the host.
For hostPath specifically:
Other deployment recommendations:
automount service account token — set to FALSE
Security context constraints (SCC) in OpenShift are gatekeepers that limit which pods may be admitted to the cluster. Because the Operator process operates as a pod in a cluster, you can apply the same ideas to improve the security posture of your Operator container.
The Udica tool was designed to make it easier to develop custom SELinux rules that can subsequently be linked to custom SCCs.
Continuous scanning aids in the detection of vulnerabilities and the acquisition of the most recent security bug patches in Go, Kubernetes, and the Operator container’s base image.
You may use an Operator to list the vulnerabilities of container images that are running in OpenShift that are retrieved from Red Hat Quay registries. OpenShift may be extended with the Container Security Operator to offer vulnerability reporting for images uploaded to certain namespaces.
The Clair security scanner does container image scanning for Red Hat Quay. Clair may look for and report vulnerabilities in images generated using RHEL, CentOS, Oracle, Alpine, Debian, and Ubuntu operating system software in Red Hat Quay.
Where should an Operator flee to? We would recommend that the Operator operates in an acceptable area depending on what it is. Tolerations can be used to schedule an Operator that is part of the control plane to execute on control plane nodes.
Even though Operators and Operands are separated by namespaces, if the Operator uses a highly privileged service account to do its Kube API interaction, any breach of that worker node may leak the Service Account credentials. Workload separation per node and namespace is hence advantageous.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com