Enabling the Security Profiles Operator

Before you can use the Security Profiles Operator, you must ensure the Operator is deployed in the cluster.

The Security Profiles Operator supports only Red Hat Enterprise Linux CoreOS (RHCOS) worker nodes. Red Hat Enterprise Linux (RHEL) nodes are not supported.

The Security Profiles Operator only supports x86_64 architecture.

Installing the Security Profiles Operator

Prerequisites

  • You must have admin privileges.

Procedure

  1. In the OKD web console, navigate to OperatorsOperatorHub.

  2. Search for the Security Profiles Operator, then click Install.

  3. Keep the default selection of Installation mode and namespace to ensure that the Operator will be installed to the openshift-security-profiles namespace.

  4. Click Install.

Verification

To confirm that the installation is successful:

  1. Navigate to the OperatorsInstalled Operators page.

  2. Check that the Security Profiles Operator is installed in the openshift-security-profiles namespace and its status is Succeeded.

If the Operator is not installed successfully:

  1. Navigate to the OperatorsInstalled Operators page and inspect the Status column for any errors or failures.

  2. Navigate to the WorkloadsPods page and check the logs in any pods in the openshift-security-profiles project that are reporting issues.

Installing the Security Profiles Operator using the CLI

Prerequisites

  • You must have admin privileges.

Procedure

  1. Define a Namespace object:

    Example namespace-object.yaml

    1. apiVersion: v1
    2. kind: Namespace
    3. metadata:
    4.     name: openshift-security-profiles
    5. labels:
    6.   openshift.io/cluster-monitoring: "true"

  2. Create the Namespace object:

    1. $ oc create -f namespace-object.yaml

  3. Define an OperatorGroup object:

    Example operator-group-object.yaml

    1. apiVersion: operators.coreos.com/v1
    2. kind: OperatorGroup
    3. metadata:
    4.   name: security-profiles-operator
    5.   namespace: openshift-security-profiles

  4. Create the OperatorGroup object:

    1. $ oc create -f operator-group-object.yaml

  5. Define a Subscription object:

    Example subscription-object.yaml

    1. apiVersion: operators.coreos.com/v1alpha1
    2. kind: Subscription
    3. metadata:
    4.   name: security-profiles-operator-sub
    5.   namespace: openshift-security-profiles
    6. spec:
    7.   channel: release-alpha-rhel-8
    8.   installPlanApproval: Automatic
    9.   name: security-profiles-operator
    10.   source: redhat-operators
    11.   sourceNamespace: openshift-marketplace

  6. Create the Subscription object:

    1. $ oc create -f subscription-object.yaml

If you are setting the global scheduler feature and enable defaultNodeSelector, you must create the namespace manually and update the annotations of the openshift-security-profiles namespace, or the namespace where the Security Profiles Operator was installed, with openshift.io/node-selector: “”. This removes the default node selector and prevents deployment failures.

Verification

  1. Verify the installation succeeded by inspecting the following CSV file:

    1. $ oc get csv -n openshift-security-profiles

  2. Verify that the Security Profiles Operator is operational by running the following command:

    1. $ oc get deploy -n openshift-security-profiles

Configuring logging verbosity

The Security Profiles Operator supports the default logging verbosity of 0 and an enhanced verbosity of 1.

Procedure

  • To enable enhanced logging verbosity, patch the spod configuration and adjust the value by running the following command:

    1. $ oc -n openshift-security-profiles patch spod \
    2.     spod --type=merge -p '{"spec":{"verbosity":1}}'

    Example output

    1. securityprofilesoperatordaemon.security-profiles-operator.x-k8s.io/spod patched