Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

📙 You will learn

How to configure ThreadFix to run on OpenShift.

Prerequisites

Audience: IT Professional
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: N/A

In order to run ThreadFix on OpenShift there are a few special considerations. With the default Security Context Constraints, pods must be configured to run under certain user and group IDs. The following describes how to get the default UID and GID range and apply them to the ThreadFix installation.

  1. Determine the valid UID range for the project:

    oc get project <project_name> -o yaml


    The output will appear like below:

    apiVersion: project.openshift.io/v1
kind: Project
metadata:
  annotations:
    openshift.io/description: ""
    openshift.io/display-name: ""
    openshift.io/requester: kube:admin
    openshift.io/sa.scc.mcs: s0:c25,c0
    openshift.io/sa.scc.supplemental-groups: 1000600000/10000
    openshift.io/sa.scc.uid-range: 1000600000/10000

    The values openshift.io/sa.scc.uid-range and openshift.io/sa.scc.supplemental-groups will be needed for setting the appropriate <uid> and <gid> in the following step.

  2. Create a ‘myValues’ directory (if it does not exist).

    mkdir -p myValues

  3. Create a file named “openshift.yaml” with the following contents (replace <uid> and <gid> with valid values in the above range):

    kong:
  securityContext:
    runAsUser: <uid>
  postgresql:
    master:
      extraInitContainers: |
        - name: init-chmod-data
          image: bitnami/minideb
          imagePullPolicy: Always
          {{- if .Values.resources }}
          resources: {{- toYaml .Values.resources | nindent 4 }}
          {{- end }}
          command:
            - /bin/sh
            - -c
            - |
              mkdir -p {{ .Values.persistence.mountPath }}/data
              chmod 0700 {{ .Values.persistence.mountPath }}/data
          securityContext:
            runAsUser: {{ .Values.securityContext.runAsUser }}
          volumeMounts:
            - name: data
              mountPath: {{ .Values.persistence.mountPath }}
              subPath: {{ .Values.persistence.subPath }}
    securityContext:
      enabled: true
      fsGroup: "<gid>"
      runAsUser: "<uid>"
    volumePermissions:
      enabled: false
      securityContext:
        runAsUser: null
    shmVolume:
      enabled: false
minio:
  securityContext:
    enabled: false

  4. Finish any other tasks from the Installation Checklist , then Install with Helm

Table of Contents

  • No labels

[www.threadfix.it] | [www.coalfire.com]
Copyright © 2024 Coalfire. All rights reserved.

This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.