From 7cfcf41acf57d9a6bc23ef5de27c9cacf808391c Mon Sep 17 00:00:00 2001
From: Gabriel Mainberger <gabriel.mainberger@vshn.net>
Date: Fri, 9 Jun 2023 17:22:36 +0200
Subject: [PATCH] Add Keycloak Pod Security Admission documentation for
 OpenShift 4

OpenShift 4.11 introduces pod security admission globally.
---
 .../ROOT/pages/how-tos/custom-theme.adoc      |  7 +++
 .../ROOT/pages/how-tos/openshift-4.adoc       | 55 +++++++++++++++++++
 2 files changed, 62 insertions(+)

diff --git a/docs/modules/ROOT/pages/how-tos/custom-theme.adoc b/docs/modules/ROOT/pages/how-tos/custom-theme.adoc
index 9f297941..6cdbb3d3 100644
--- a/docs/modules/ROOT/pages/how-tos/custom-theme.adoc
+++ b/docs/modules/ROOT/pages/how-tos/custom-theme.adoc
@@ -52,6 +52,13 @@ parameters:
         volumeMounts:
           - name: themes
             mountPath: /target
+        ## Hardening
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+        ## Hardening end
 
     extraVolumes:
       themes:
diff --git a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc
index 1ead2cac..c873e441 100644
--- a/docs/modules/ROOT/pages/how-tos/openshift-4.adoc
+++ b/docs/modules/ROOT/pages/how-tos/openshift-4.adoc
@@ -23,6 +23,61 @@ parameters:
       # Required as the OpenShift user can not create the data directory in the keycloak directory UID 1000/GID 0
       data:
         mountPath: /opt/keycloak/data
+----
+
+== Parameters for OpenShift 4.11 and higher
+
+OpenShift 4.11 introduces https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html#ocp-4-11-auth-pod-security-admission[Pod Security Admission] globally.
+
+`runAsUser` and `runAsGroup` must be unset.
+
+The pod security context can be configured like:
+[source,yaml,subs="attributes+"]
+----
+parameters:
+  keycloak:
+    helm_values:
+      podSecurityContext:
+        fsGroup: null
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      securityContext:
+        capabilities:
+          drop:
+            - ALL
+        runAsUser: null
+      dbchecker:
+        securityContext:
+          capabilities:
+            drop:
+              - ALL
+          readOnlyRootFilesystem: true
+          runAsGroup: null
+          runAsUser: null
+----
+
+You may enforce the Pod Security Admission on a namespace level:
+[source,yaml,subs="attributes+"]
+----
+parameters:
+  keycloak:
+    namespaceLabels:
+      pod-security.kubernetes.io/audit: restricted
+      pod-security.kubernetes.io/enforce: restricted
+      pod-security.kubernetes.io/warn: restricted
+      security.openshift.io/scc.podSecurityLabelSync: "false"
+----
+
+== Parameters for up to OpenShift 4.10
+
+OpenShift 4.10 and below do no support pod security admission.
+`runAsUser` and `runAsGroup` must be unset.
+
+[source,yaml,subs="attributes+"]
+----
+parameters:
+  keycloak:
     helm_values:
       podSecurityContext: null
       securityContext: null