Connect Akto with Azure OpenShift

Azure Red Hat OpenShift provides highly available, fully managed OpenShift clusters on demand, monitored and operated jointly by Microsoft and Red Hat.

Add service account to get permissions for traffic connector.
You can use Kubernetes Daemonset connector or eBPF on mTLS as your traffic connector.
Add the following to the Daemonset connector -
They listen to
any
interface by default - which might NOT be allowed in some Openshift clusters. If that's the case, contact [email protected] - we can help listen traffic onbr-ex
interface.
containers:
- name: mirror-api-logging
...
# add the following lines to add additional privileges
privileged: true
securityContext:
runAsUser: 0
privileged: true
Service account manifest
On Openshift, for a pod to be able to listen to node traffic (eg. a daemonset pod), it needs to be assigned some special permissions.
1. Create a Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: akto-daemonset-serviceaccount
annotations:
"scc.openshift.io/scc": "akto-daemonset-scc"
Create a Security Context Constraint. Substitute <NAMESPACE> with Akto daemonset yaml namespace.
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: akto-daemonset-scc
allowPrivilegedContainer: true
allowHostNetwork: true
requiredDropCapabilities:
- NET_ADMIN
seLinuxContext:
type: RunAsAny
runAsUser:
type: RunAsAny
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
users:
- system:serviceaccount:<NAMESPACE>:akto-daemonset-serviceaccount
Add SCC to service account
oc adm policy add-scc-to-user akto-daemonset-scc -z akto-daemonset-serviceaccount
Last updated
Was this helpful?