Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-8443

Ensure Kubernetes SCC V2 Compliance for Pods in ACM Cluster


    • Ensure Kubernetes SCC V2 Compliance for Pods in ACM Cluster
    • False
    • None
    • True
    • Green
    • In Progress
    • 0% To Do, 0% In Progress, 100% Done

      Epic Goal

      The goal of this epic is to guarantee that all pods running within the ACM (Advanced Cluster Management) cluster adhere to Kubernetes Security Context Constraints (SCC). The implementation of a comprehensive SCC compliance checking system will proactively maintain a secure and compliant environment, mitigating security risks.

      Why is this important?

      Ensuring SCC compliance is critical for the security and stability of a Kubernetes cluster. 


      A customer who is responsible for overseeing the operations of their cluster, faces the challenge of maintaining a secure and compliant Kubernetes environment. The organization relies on the ACM cluster to run a variety of critical workloads across multiple namespaces. Security and compliance are top priorities, especially considering the sensitive nature of the data and applications hosted in the cluster.

      Deployments to Investigate

      Only Annotation Needed:

      • [ ] cluster-permission (ALC)
      • [x] cluster-proxy (foundation)
      • [x] cluster-proxy-addon-manager (foundation)
      • [x] cluster-proxy-addon-user (foundation)
      • [ ] endpoint-observability-operator (Observability)
      • [x] grc-policy-propagator (GRC) – create the PR, no concerns from team
      • [ ] hiveadmission (Hive)
      • [ ] hive-clustersync (Hive)
      • [ ] hive-controllers (Hive)
      • [ ] insights-metrics (Search)
      • [ ] klusterlet-addon-search (Search)
      • [ ] operator (Hypershift)

      Further Investigation Needed

      • [ ] application-manager (ALC)
      • [x] cluster-manager (foundation)
      • [x] cluster-manager-addon-manager-controller (foundation)
      • [x] cluster-manager-placement-controller (foundation)
      • [x] cluster-manager-registration-controller (foundation)
      • [x] cluster-manager-registration-webhook (foundation)
      • [x] cluster-manager-work-webhook (foundation)
      • [x] cluster-proxy-proxy-agent (foundation)
      • [ ] cluster-proxy-service-proxy (foundation)
      • [ ] hypershift-addon-agent (Hypershift)
      • [ ] hypershift-install-job (Hypershift)
      • [x] klusterlet (SF)
      • [ ] klusterlet-agent (SF)
      • [ ] metrics-collector-deployment (Observability)
      • [ ] search-postgres (Search)
      • [ ] uwl-metrics-collector-deployment (Observability)

      Acceptance Criteria

      • [ ] Develop a script capable of automated checks for SCC compliance for all pods within the ACM cluster, spanning multiple namespaces.

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      1. ...

      Open questions:

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            rh-ee-ngraham Nathaniel Graham
            dbennett@redhat.com Disaiah Bennett
            Thuy Nguyen Thuy Nguyen
            0 Vote for this issue
            5 Start watching this issue