Details
-
Epic
-
Resolution: Done
-
Critical
-
None
-
None
-
None
-
R&D: PSP++ & SCC
-
False
-
False
-
To Do
-
Impediment
-
0
-
0%
-
Undefined
Description
Summary (PM+lead)
Upstream introduces Pod Isolation Policies as a replacement of Pod Security Policy, following the sig-auth and sig-security discussions in https://docs.google.com/document/d/1dpfDF3Dk4HhbQe74AyCpzUYMjp4ZhiEgGXSMpVWLlqQ/edit?usp=sharing. OpenShift's Security Context Constraints (SCCs) must co-exist with the new upstream concept. This enhancement describes the plan to do so.
Motivation (PM+lead)
Upstream will agree on KEP 2582 in the next months and implement it maybe as an alpha in 1.22 (4.9) and target GA in 1.23 (4.10) or 1.24 (4.11). OpenShift has to work out how SCCs will co-exist and how OpenShift will make use of Pod Isolution Policies.
Goals (lead)
- allow SCCs and PIPs to co-exist
- allow builds to work in a world with enabled PIPs
Non-Goals (lead)
- deprecate SCCs
- remove SCCs
Deliverables
- enhancements of PIPs co-existance with SCCs
Proposal (lead)
User Stories (PM)
Dependencies (internal and external, lead)
Previous Work (lead)
Open questions (lead)
- ...
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>
Attachments
Issue Links
1.
|
Docs Tracker |
|
Closed | 
|
Unassigned |
2.
|
QE Tracker |
|
Closed |
|
Yash Tripathi (Inactive) |
3.
|
TE Tracker |
|
Closed |
|
Unassigned |