This repository contains an example of a custom Strimzi Pod Security Provider. It is used in a blog post on the Strimzi blog.
This repository contains two examples of custom providers:
CustomPodSecurityProvideris written from scratch by implementing thePodSecurityProviderinterface. It runs all containers with a read-only root filesystem.CustomPodSecurityProvider2is written by extending the Strimzi restricted provider. But unlike the original restricted provider, it allows to run Kafka Connect Build using the Kaniko builder which requires running as root. All other Pods / containers are using the restricted policies.
- Install Java 17, Maven, and Docker.
- Build the Java JAR file with the custom policies
mvn clean package
-
Build the container image with the additional JAR file:
docker build -t quay.io/scholzj/operator:custom-providers .(Note: Update the command to use your container registry and repository.)
-
Push the image to the repository:
docker push quay.io/scholzj/operator:custom-providers(Note: Update the command to use your container registry and repository.)
-
Use the newly built image in the Strimzi Cluster Operator deployment
-
In the Strimzi Cluster Operator Deployment, set the
JAVA_CLASSPATHenvironment variable tolib/custom-pod-security-providers-1.0-SNAPSHOT.jar(supported only from Strimzi 0.34.0):- name: JAVA_CLASSPATH value: lib/custom-pod-security-providers-1.0-SNAPSHOT.jar -
And configure the Pod Security Provider. For example:
- name: STRIMZI_POD_SECURITY_PROVIDER_CLASS value: cz.scholz.providers.CustomPodSecurityProvider
Deploy a Kafka cluster using one of the Strimzi examples. Once it is deployed, you can check its Security Context and you should see that all containers will have the read-only root filesystem option enabled. For example:
apiVersion: v1
kind: Pod
metadata:
name: my-cluster-kafka-0
# ...
spec:
# ...
containers:
name: kafka
securityContext:
readOnlyRootFilesystem: true
# ...