Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-2

Enable Pod Security Admission & SCC

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None
    • R&D: PSP++ & SCC
    • False
    • False
    • To Do
    • Impediment
    • Undefined

      Summary (PM+lead)

      Upstream introduces Pod Isolation Policies as a replacement of Pod Security Policy, following the sig-auth and sig-security discussions in https://docs.google.com/document/d/1dpfDF3Dk4HhbQe74AyCpzUYMjp4ZhiEgGXSMpVWLlqQ/edit?usp=sharing. OpenShift's Security Context Constraints (SCCs) must co-exist with the new upstream concept. This enhancement describes the plan to do so.

      Motivation (PM+lead)

      Upstream will agree on KEP 2582 in the next months and implement it maybe as an alpha in 1.22 (4.9) and target GA in 1.23 (4.10) or 1.24 (4.11). OpenShift has to work out how SCCs will co-exist and how OpenShift will make use of Pod Isolution Policies.

      Goals (lead)

      1. allow SCCs and PIPs to co-exist
      2. allow builds to work in a world with enabled PIPs

      Non-Goals (lead)

      1. deprecate SCCs
      2. remove SCCs

      Deliverables

      1. enhancements of PIPs co-existance with SCCs

      Proposal (lead)

      User Stories (PM)

      Dependencies (internal and external, lead)

      Previous Work (lead)

      Open questions (lead)

      1. ...

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

            surbania Sergiusz Urbaniak (Inactive)
            sttts@redhat.com Stefan Schimanski (Inactive)
            Yash Tripathi Yash Tripathi (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: