Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-8465

(Hive) Add Kubernetes SCC V2 options to resource's YAML configuration

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Duplicate
    • Icon: Normal Normal
    • ACM 2.10.0
    • ACM 2.10.0
    • Installer
    • None
    • No

      Value Statement

      As an ACM admin, I want to add Kubernetes Security Context Constraints (SCC) V2 options to the component's resource YAML configuration to ensure that the Pod runs with the 'readonlyrootfilesystem' and 'privileged' settings, in order to enhance the security and functionality of our application.

      In the resource config YAML, we need to add the follow context:

      securityContext:
        privileged: false
        readOnlyRootFilesystem: true
      

      Affected resources:

      • [ ] hiveadmission
      • [ ] hive-clustersync
      • [ ] hive-controllers

      Definition of Done for Engineering Story Owner (Checklist)

      • [ ] Ensure that the Pod continues to function correctly with the new SCC V2 settings.
      • [ ] Verify that the SCC V2 options are effective in limiting the Pod's privileges and restricting write access to the root filesystem.

      Development Complete

      • The code is complete.
      • Functionality is working.
      • Any required downstream Docker file changes are made.

      Tests Automated

      • [ ] Unit/function tests have been automated and incorporated into the
        build.
      • [ ] 100% automated unit/function test coverage for new or changed APIs.

      Secure Design

      • [ ] Security has been assessed and incorporated into your threat model.

      Multidisciplinary Teams Readiness

      Support Readiness

      • [ ] The must-gather script has been updated.

            Unassigned Unassigned
            dbennett@redhat.com Disaiah Bennett
            Thuy Nguyen Thuy Nguyen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: