Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
📙 You will learn
How to configure ThreadFix to run on OpenShift.
Prerequisites
Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A
In order to run ThreadFix on OpenShift there are a few special considerations. With the default Security Context Constraints, pods must be configured to run under certain user and group IDs. The following describes how to get the default UID and GID range and apply them to the ThreadFix installation.
Determine the valid UID range for the project:
Code Block oc get project <project_name> -o yaml
The output will appear like below:Code Block apiVersion: project.openshift.io/v1 kind: Project metadata: annotations: openshift.io/description: "" openshift.io/display-name: "" openshift.io/requester: kube:admin openshift.io/sa.scc.mcs: s0:c25,c0 openshift.io/sa.scc.supplemental-groups: 1000600000/10000 openshift.io/sa.scc.uid-range: 1000600000/10000
The values
openshift.io/sa.scc.uid-range
andopenshift.io/sa.scc.supplemental-groups
will be needed for setting the appropriate<uid>
and<gid>
in the following step.Create a ‘myValues’ directory (if it does not exist).
Code Block mkdir -p myValues
Create a file named “openshift.yaml” with the following contents (replace
<uid>
and<gid>
with valid values in the above range):Code Block kong: securityContext: runAsUser: <uid> postgresql: master: extraInitContainers: | - name: init-chmod-data image: bitnami/minideb imagePullPolicy: Always {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 4 }} {{- end }} command: - /bin/sh - -c - | mkdir -p {{ .Values.persistence.mountPath }}/data chmod 0700 {{ .Values.persistence.mountPath }}/data securityContext: runAsUser: {{ .Values.securityContext.runAsUser }} volumeMounts: - name: data mountPath: {{ .Values.persistence.mountPath }} subPath: {{ .Values.persistence.subPath }} securityContext: enabled: true fsGroup: "<gid>" runAsUser: "<uid>" volumePermissions: enabled: false securityContext: runAsUser: null shmVolume: enabled: false minio: securityContext: enabled: false
Follow the ThreadFix 3.0 Production Deployment instructions. On the “helm install” step, append
-f openshift.yaml
to the helm command to include these settings in the installationFinish any other tasks from the Installation Checklist , then Install with Helm.
Table of Contents
Table of Contents |
---|