Table of contents
Topics on this page

OpenShift best practices

To deploy runtime security onto OpenShift, you must use a privileged user (a user in the system:cluster-admins Kubernetes group). On ROSA, this is usually the cluster-admin user. On ARO, this is usually the kubeadmin user.

Normal OpenShift activities can trigger runtime security rules and generate large numbers of events. To prevent those events from being generated, you can exclude some namespaces by adding the following to your overrides file:

cloudOne:
  exclusion:
    namespaces: [list, of, namespaces]

On OpenShift, you may want to exclude the following namespaces:

cloudOne:
  exclusion:
    namespaces: [openshift, openshift-apiserver, openshift-apiserver-operator, openshift-aqua, openshift-authentication, openshift-authentication-operator, openshift-backplane,
    openshift-backplane-cee, openshift-backplane-srep, openshift-build-test, openshift-cloud-credential-operator, openshift-cloud-ingress-operator, openshift-cluster-csi-drivers,
    openshift-cluster-machine-approver, openshift-cluster-node-tuning-operator, openshift-cluster-samples-operator, openshift-cluster-storage-operator, openshift-cluster-version,
    openshift-codeready-workspaces, openshift-config, openshift-config-managed, openshift-config-operator, openshift-console, openshift-console-operator, openshift-console-user-settings,
    openshift-controller-manager, openshift-controller-manager-operator, openshift-custom-domains-operator, openshift-customer-monitoring, openshift-dns, openshift-dns-operator,
    openshift-etcd, openshift-etcd-operator, openshift-host-network, openshift-image-registry, openshift-infra, openshift-ingress, openshift-ingress-canary, openshift-ingress-operator,
    openshift-insights, openshift-kni-infra, openshift-kube-apiserver, openshift-kube-apiserver-operator, openshift-kube-controller-manager, openshift-kube-controller-manager-operator,
    openshift-kube-scheduler, openshift-kube-scheduler-operator, openshift-kube-storage-version-migrator, openshift-kube-storage-version-migrator-operator, openshift-kubevirt-infra,
    openshift-logging, openshift-machine-api, openshift-machine-config-operator, openshift-managed-upgrade-operator, openshift-marketplace, openshift-monitoring, openshift-multus,
    openshift-must-gather-operator, openshift-network-diagnostics, openshift-network-operator, openshift-node, openshift-oauth-apiserver, openshift-openstack-infra,
    openshift-operator-lifecycle-manager, openshift-operators, openshift-operators-redhat, openshift-osd-metrics, openshift-ovirt-infra, openshift-rbac-permissions,
    openshift-route-monitor-operator, openshift-sdn, openshift-security, openshift-service-ca, openshift-service-ca-operator, openshift-splunk-forwarder-operator, openshift-sre-pruning,
    openshift-sre-sshd, openshift-strimzi, openshift-user-workload-monitoring, openshift-validation-webhook, openshift-velero, openshift-vsphere-infra]

By default, OpenShift applies taints to the infrastructure and master nodes which results in the runtime security pods not being assigned to these nodes. If you would like to add runtime security to these nodes, you may add the following tolerations to your overrides file:

tolerations:
  scout:
  - effect: NoSchedule
    key: node-role.kubernetes.io/infra
    operator: Exists
  - effect: NoSchedule
    key: node-role.kubernetes.io/master
    operator: Exists