Epic Goal

The goal of this epic is to guarantee that all pods running within the ACM (Advanced Cluster Management) cluster adhere to Kubernetes Security Context Constraints (SCC). The implementation of a comprehensive SCC compliance checking system will proactively maintain a secure and compliant environment, mitigating security risks.

Why is this important?

Ensuring SCC compliance is critical for the security and stability of a Kubernetes cluster. 

Scenarios

A customer who is responsible for overseeing the operations of their cluster, faces the challenge of maintaining a secure and compliant Kubernetes environment. The organization relies on the ACM cluster to run a variety of critical workloads across multiple namespaces. Security and compliance are top priorities, especially considering the sensitive nature of the data and applications hosted in the cluster.

Deployments to Investigate

Only Annotation Needed:

• [ ] cluster-permission (ALC)
• [x] cluster-proxy (foundation)
• [x] cluster-proxy-addon-manager (foundation)
• [x] cluster-proxy-addon-user (foundation)
• [ ] endpoint-observability-operator (Observability)
• [x] grc-policy-propagator (GRC) – create the PR, no concerns from team
• [ ] hiveadmission (Hive)
• [ ] hive-clustersync (Hive)
• [ ] hive-controllers (Hive)
• [ ] insights-metrics (Search)
• [ ] klusterlet-addon-search (Search)
• [ ] operator (Hypershift)

Further Investigation Needed

• [ ] application-manager (ALC)
• [x] cluster-manager (foundation)
• [x] cluster-manager-addon-manager-controller (foundation)
• [x] cluster-manager-placement-controller (foundation)
• [x] cluster-manager-registration-controller (foundation)
• [x] cluster-manager-registration-webhook (foundation)
• [x] cluster-manager-work-webhook (foundation)
• [x] cluster-proxy-proxy-agent (foundation)
• [ ] cluster-proxy-service-proxy (foundation)
• [ ] hypershift-addon-agent (Hypershift)
• [ ] hypershift-install-job (Hypershift)
• [x] klusterlet (SF)
• [ ] klusterlet-agent (SF)
• [ ] metrics-collector-deployment (Observability)
• [ ] search-postgres (Search)
• [ ] uwl-metrics-collector-deployment (Observability)

Acceptance Criteria

• [ ] Develop a script capable of automated checks for SCC compliance for all pods within the ACM cluster, spanning multiple namespaces.

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. ...

Open questions:

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
  Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub
  Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>