https://community.dynatrace.com/t5/Dynatrace-tips/How-to-handle-SCCs-with-Openshift-lt-4-12-when-monitoring-using/m-p/248281#M1681 <P>Many customers, interested in <STRONG><A href="https://docs.dynatrace.com/docs/shortlink/how-it-works-k8s#cloud-native" target="_self">Cloud Native</A></STRONG> mode, have come down on the hurdle of <EM>SCCs</EM> in case they had an <STRONG>Openshift</STRONG> version less than or equal to 4.12.</P><P>For those who don't know, but the Dynatrace <A href="https://docs.dynatrace.com/docs/shortlink/openshift-configuration#security-context-constraints-sccs" target="_self">doc explains it</A>, in the case of OpenShift it is important to manage <EM>SCCs</EM>, in particular the coexistence between our <EM>CSI</EM> module (typical for Cloud Native mode deployment) and the default <EM>SCCs</EM>.</P><P><STRONG>Cloud Native</STRONG> mode involves the use of <EM>CSI</EM> volumes to enable the injection of agents into application pods.</P><P>This requires that the <EM>CSI</EM> module be allowed from an <EM>SCC</EM> perspective used by the application pods themselves.</P><P>If the application pods are using a dedicated service account, this is not a particular problem, it would be sufficient to modify/add a custom <EM>SCC</EM> to allow the <EM>CSI</EM> volume to be mounted, <A href="https://docs.dynatrace.com/docs/shortlink/openshift-configuration#code-module-injection-for-application-monitoring" target="_self">as indicated by our doc</A>.</P><P>The problem emerges when the application pods use a default service account, which in turn use the base SCCs.<BR />With <STRONG>Openshift</STRONG> 4.12 or lower, these base <EM>SCCs</EM> however did not include <EM>CSI </EM>volume mount among the allowed ("fixed" by <STRONG>OpenShift</STRONG> 4.13) and RedHat advises against, in order not to lose support, modifying base <EM>SCCs</EM> (usually the <SPAN><EM>restricted-v2</EM>)</SPAN>&nbsp;to include this permission.</P><P><U><STRONG>What then are the possible solutions?</STRONG></U><BR />I here try to list a few, <U>kindly ask for integration/correction:</U></P><UL><LI>Upgrade <STRONG>OpenShift</STRONG> to version 4.13 or higher</LI><LI>Create a dedicated service account with a custom <EM>SCC</EM> with the <EM>CSI</EM> permission. Then add this service account to the application workload (pod, deployment ...) - <A href="https://github.com/Azure/secrets-store-csi-driver-provider-azure/discussions/1062#discussioncomment-7267143" target="_self">here</A> is explained.<BR />Is not suggested to edit the default service account.&nbsp;</LI><LI>If the application is using a dedicated service account, just bind a custom <EM>SCC</EM> with <EM>CSI</EM> enabled or edit an existing used&nbsp;<EM>SCC</EM>.</LI><LI>Use <STRONG>Classic FullStack</STRONG>.</LI></UL> Thu, 13 Jun 2024 16:30:34 GMT yanezza 2024-06-13T16:30:34Z https://community.dynatrace.com/t5/Dynatrace-tips/How-to-handle-SCCs-with-Openshift-lt-4-12-when-monitoring-using/m-p/248281#M1681 <P>Many customers, interested in <STRONG><A href="https://docs.dynatrace.com/docs/shortlink/how-it-works-k8s#cloud-native" target="_self">Cloud Native</A></STRONG> mode, have come down on the hurdle of <EM>SCCs</EM> in case they had an <STRONG>Openshift</STRONG> version less than or equal to 4.12.</P><P>For those who don't know, but the Dynatrace <A href="https://docs.dynatrace.com/docs/shortlink/openshift-configuration#security-context-constraints-sccs" target="_self">doc explains it</A>, in the case of OpenShift it is important to manage <EM>SCCs</EM>, in particular the coexistence between our <EM>CSI</EM> module (typical for Cloud Native mode deployment) and the default <EM>SCCs</EM>.</P><P><STRONG>Cloud Native</STRONG> mode involves the use of <EM>CSI</EM> volumes to enable the injection of agents into application pods.</P><P>This requires that the <EM>CSI</EM> module be allowed from an <EM>SCC</EM> perspective used by the application pods themselves.</P><P>If the application pods are using a dedicated service account, this is not a particular problem, it would be sufficient to modify/add a custom <EM>SCC</EM> to allow the <EM>CSI</EM> volume to be mounted, <A href="https://docs.dynatrace.com/docs/shortlink/openshift-configuration#code-module-injection-for-application-monitoring" target="_self">as indicated by our doc</A>.</P><P>The problem emerges when the application pods use a default service account, which in turn use the base SCCs.<BR />With <STRONG>Openshift</STRONG> 4.12 or lower, these base <EM>SCCs</EM> however did not include <EM>CSI </EM>volume mount among the allowed ("fixed" by <STRONG>OpenShift</STRONG> 4.13) and RedHat advises against, in order not to lose support, modifying base <EM>SCCs</EM> (usually the <SPAN><EM>restricted-v2</EM>)</SPAN>&nbsp;to include this permission.</P><P><U><STRONG>What then are the possible solutions?</STRONG></U><BR />I here try to list a few, <U>kindly ask for integration/correction:</U></P><UL><LI>Upgrade <STRONG>OpenShift</STRONG> to version 4.13 or higher</LI><LI>Create a dedicated service account with a custom <EM>SCC</EM> with the <EM>CSI</EM> permission. Then add this service account to the application workload (pod, deployment ...) - <A href="https://github.com/Azure/secrets-store-csi-driver-provider-azure/discussions/1062#discussioncomment-7267143" target="_self">here</A> is explained.<BR />Is not suggested to edit the default service account.&nbsp;</LI><LI>If the application is using a dedicated service account, just bind a custom <EM>SCC</EM> with <EM>CSI</EM> enabled or edit an existing used&nbsp;<EM>SCC</EM>.</LI><LI>Use <STRONG>Classic FullStack</STRONG>.</LI></UL> Thu, 13 Jun 2024 16:30:34 GMT https://community.dynatrace.com/t5/Dynatrace-tips/How-to-handle-SCCs-with-Openshift-lt-4-12-when-monitoring-using/m-p/248281#M1681 yanezza 2024-06-13T16:30:34Z