chore: document minimal security context settings

Add documentation that describes how to use opentelemetry-operator in restrictive clusters, such as enabling runAsRoot, dropping capabilities, and configuring seccomp confinement.
open-telemetry · Nov 24, 2022 · 588c80a · 588c80a
1 parent 1eed17e
commit 588c80a
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -306,6 +306,54 @@ You can configure the OpenTelemetry SDK for applications which can't currently b
 instrumentation.opentelemetry.io/inject-sdk: "true"
 ```
 
+### Installing in restricted clusters
+
+Many clusters enforce restrictions on workloads using [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) or other policy systems, which may conflict with the collector deployment or sidecar containers that the `opentelemetry-operator` creates. You can customize the [pod and container security context settings](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) using the appropriate field in the `OpenTelemetryCollector` resource definition.
+
+In `sidecar` mode, the `opentelemetry-operator` ignores the pod security context settings, so use an example like this:
+
+```yaml
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+spec:
+  mode: sidecar
+  securityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+      - ALL
+```
+
+In `deployment` mode, the `opentelemetry-operator` manages both the container and pod security contexts, so the following settings are a good default for most clusters:
+
+```yaml
+apiVersion: opentelemetry.io/v1alpha1
+kind: OpenTelemetryCollector
+spec:
+  mode: deployment
+  securityContext:
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+      - ALL
+  podSecurityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+```
+
+You can optionally configure `runAsUser` and set it to `10001`, as this is the `USER` defined in the [opentelemetry-collector Dockerfile](https://github.com/open-telemetry/opentelemetry-collector-releases/blob/main/distributions/otelcol/Dockerfile). In OpenShift, however, configuring this explicitly will conflict with the default `restricted` Security Context Constraint, which runs pods with a project/namespace-specific User ID (UID).
+
+For a full list of settings, consult the type definition in [opentelemetrycollector_types.go](./apis/v1alpha1/opentelemetrycollector_types.go) or [API docs](./docs/api.md).
+
 ## Compatibility matrix
 
 ### OpenTelemetry Operator vs. OpenTelemetry Collector