Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-133

Pod Security Admission integration in OpenShift

    XMLWordPrintable

Details

    • Pod Security Admission
    • False
    • False
    • Yellow
    • To Do
    • Impediment
    • 100
    • 100% 100%
    • Hide

      Dev complete as the final origin PRs have merged.  We still need to write a blog post prior to GA and there will be follow-on work in OCP 4.12 for alerts to finish this off.

      Show
      Dev complete as the final origin PRs have merged.  We still need to write a blog post prior to GA and there will be follow-on work in OCP 4.12 for alerts to finish this off.

    Description

      Summary (PM+lead)

      https://issues.redhat.com/browse/AUTH-2 revealed that, in prinicipal, Pod Security Admission is possible to integrate into OpenShift while retaining SCC functionality.

       

      This epic is about the concrete steps to enable Pod Security Admission by default in OpenShift

      Motivation (PM+lead)

      Goals (lead)

      • Enable Pod Security Admission in "restricted" policy level by default
      • Migrate existing core workloads to comply to the "restricted" pod security policy level

      Non-Goals (lead)

      • Other OpenShift workloads must be migrated by the individual responsible teams.

      Deliverables

      Proposal (lead)

      Enhancement - https://github.com/openshift/enhancements/pull/1010

      User Stories (PM)

      Dependencies (internal and external, lead)

      Previous Work (lead)

      Open questions (lead)

      1. ...

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

      Attachments

        Issue Links

          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-2 Enable Pod Security Admission & SCC

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. AUTH-172 Creating a pod throws a Warning "would violate PodSecurity "restricted:latest""

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/cluster-authentication-operator#570: AUTH-133: bindata/oauth-openshift: specify pod security level

          GitHub openshift/cluster-csi-snapshot-controller-operator#120: AUTH-133: assets: comply to restricted pod security level

          GitHub openshift/cluster-ingress-operator#759: AUTH-133: assets: comply to pod security

          GitHub openshift/cluster-ingress-operator#760: Bug 2084433: AUTH-133: assets: comply to pod security

          GitHub openshift/cluster-openshift-controller-manager-operator#240: Bug 2086519: AUTH-133: bindata: comply to restricted pod security level

          GitHub openshift/cluster-samples-operator#425: AUTH-133: manifests/deployment: comply to restricted pod security level

          GitHub openshift/console-operator#652: Bug 2086519: AUTH-133: manifests: comply to restricted pod security

          GitHub openshift/insights-operator#616: AUTH-133: manifests/deployment: comply to restricted pod security level

          GitHub openshift/openshift-docs#47647: [AUTH-133] Add pod security admission control docs

          GitHub openshift/openshift-docs#48402: Release note for AUTH-133

          GitHub openshift/openshift-docs#48409: AUTH-133: Pod security admission

          GitHub openshift/openshift-docs#48538: [enterprise-4.11] AUTH-133: Pod security admission

          GitHub openshift/origin#27152: Bug 2086519: Auth-133: test/extended/util: comply exec pod to restricted pod security profile

          GitHub openshift/origin#27154: Bug 2086519: AUTH-133: test/extended/security/scc: comply to pod security admission

          GitHub openshift/origin#27155: Bug 2086519: AUTH-133: test/extended/util: set restricted pod security profile by default

          GitHub openshift/origin#27269: Bug 2086519: AUTH-133: test/extended/security/scc: comply to pod security admission

          There are no Sub-Tasks for this issue.

          Activity

            People

              slaznick@redhat.com Stanislav Laznicka
              surbania Sergiusz Urbaniak (Inactive)
              Yash Tripathi Yash Tripathi (Inactive)
              Max Bridges Max Bridges
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: