Connect Akto with Azure OpenShift

Azure Red Hat OpenShift provides highly available, fully managed OpenShift clusters on demand, monitored and operated jointly by Microsoft and Red Hat.

  1. Add service account to get permissions for traffic connector.

  2. You can use Kubernetes Daemonset connector or eBPF on mTLS as your traffic connector.

Add the following to the Daemonset connector -

They listen to any interface by default - which might NOT be allowed in some Openshift clusters. If that's the case, contact [email protected] - we can help listen traffic on br-ex interface.

     containers:
      - name: mirror-api-logging
        ... 
        # add the following lines to add additional privileges
        privileged: true	
        securityContext:
          runAsUser: 0
          privileged: true

Service account manifest

On Openshift, for a pod to be able to listen to node traffic (eg. a daemonset pod), it needs to be assigned some special permissions.

1. Create a Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: akto-daemonset-serviceaccount
  annotations:
    "scc.openshift.io/scc": "akto-daemonset-scc"
  1. Create a Security Context Constraint. Substitute <NAMESPACE> with Akto daemonset yaml namespace.

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: akto-daemonset-scc
allowPrivilegedContainer: true
allowHostNetwork: true
requiredDropCapabilities:
- NET_ADMIN
seLinuxContext:
  type: RunAsAny
runAsUser:
  type: RunAsAny
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
users:
- system:serviceaccount:<NAMESPACE>:akto-daemonset-serviceaccount
  1. Add SCC to service account

oc adm policy add-scc-to-user akto-daemonset-scc -z akto-daemonset-serviceaccount

Last updated

Was this helpful?