Currently there is no simple way of developing and installing custom SELinux and/or seccomp policies in OpenShift clusters. While there are workarounds, these are non-trivial and not friendly to users. Deploying a security profile to the cluster typically involves creating a MachineConfig object which would trigger reboot of the nodes, which is disruptive.

On the other hand, there are many privileged containers in the platform that catch the attention of customers and consultants and opens up those workloads as valuable targets for exploitation. The same applies to third-party operators. There should be a way to address this.
 
Security Profiles Operator (SPO) is an upstream project that aids in the development, deployment, and administration of security profiles like Seccomp or SELinux. The proposal is to include SPO in OpenShift to help with managing and applying security profiles in OpenShift.

We intend to productize the Security Profiles Operator as a joint effort between the Infrastructure Security & Compliance team, and the Node team. Initially, the operator would support management of security profiles, future releases would focus also on development of security profiles so that these profiles could be used by the single source of truth by both developers and ops/sec.

Epic goals

• Make sure the Security Profiles Operator is usable and installable on OpenShift

Acceptance Criteria

• it is possible to install the operator on an OCP cluster
• It is possible to use custom SELinux and seccomp profiles with the appropriate permissions on an OpenShift cluster
• The operator has documentation. ISC team will provide a base of documentation (e.g. a google document) for the content writers to use for bootstrapping our official docs

Documentation needs

This is a new operator, so it needs documentation, about in the same scope as the compliance operator documentation. The documentation should cover installation, installing profiles, recording profiles and binding profiles to images at least. The ISC development team will provide a basis of the documentation as a part of CMP-876.

Please see the QE need section below for an overview of the operator functionality.

QE needs

This is a new operator, so it needs testing. The exact scope of the testing is tbd, but the testing should include at least:

• the operator can be installed and uninstalled
• seccomp profile management
  • install, uninstall, report status
  • assign a profile directly to a workload
  • bind image to a profile
  • test that the profile is actually taken into use - make sure that the permitted operations are executed, but those that are not permitted are denied
• selinux profiles management
  • install, uninstall, report status
  • assign a profile directly to a workload
  • bind image to a profile
  • test that the profile is actually taken into use - make sure that the permitted operations are executed, but those that are not permitted are denied
• seccomp and selinux profile recording
  • for both profile types, record several types of workloads (pods, deployments, ...)
• metrics
• depending on what upstream version we package we might also test e.g. binding a workload to a profile from another namespace etc. This is the part that is TBD.

Dependencies (internal and external)

• internal: we need to figure out a way to package and distribute selinuxd (CMP-872)
  • decided: as a container
• internal: we need to figure out a way to have rpm-ostree play nicely with modifying SELinux database (SELINUX-2695)
• internal: we need to figure out a way to make security profiles usable without having to use the privileged SCC by shipping an example SCC (CMP-1208)

Further work

• We should evangelize the operators internally in order to convince developers to stop using privileged containers.
• Make the operator be a central part of OpenShift and be deployed in clusters by default.