- Security context constraints within the GitLab deployment
Pods in OpenShift receive permissions based on their security context constraints. Security context constraints, often abbreviated SCC, simplify the role based access control mechanism for use in large scale deployments. Administrators may consult the upstream documentation to gain more insight into how security context constraints work and their place in OpenShift
Administrators may also consult the following resources:
gitlab-controller-manager deployment creates and manages the pod
containing the Operator processes. This and any other pod it creates and
manages run with the restricted security context constraint.
The Operator uses a ServiceAccount with robust permissions allowing it to manage all resources required by the GitLab application.
The Operator manages the component services comprising Cloud Native GitLab. It actively terminates and replaces pods that do not conform to the UID specified by the Operator. This mechanism enforces the principle of least privilege.
Pods deployed by the Operator to satisfy GitLab custom resources use the anyuid security context constraint. Security context constraints for third party operators and resources are covered in the next section.
gitlab-app ServiceAccount has no granted privileges. It exists solely
to bind the anyuid security context constraint to GitLab application
The security context constraints will be tightened in future releases as the full read/write behaviors of the GitLab application are validated within the OpenShift security model.
Administrators coming to Cloud Native GitLab from Omnibus should note that
Omnibus tasks performed with
sudo are handled by OpenShift and the
underlying Kubernetes engine. Pods are individual services which, in GitLab
Omnibus, drop privilege to run as an application-specific user. The
Operator will terminate any pod that is not operating with the expected UID.
GitLab recommends and tests deployments using the
nginx-ingress-controller when deploying Cloud Native GitLab. It uses its
nginx-ingress-scc security context constraint.
If selecting an alternative Ingress controller, please consult the relevant documentation to learn more about its security context constraints.
Operator deploys the cert-manager-operator from JetStack to manage SSL certificates across the GitLab application. The cert-manager-operator sets no secure context constraints directly, thus OpenShift will apply the restricted security context constraint by default.