Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-2

Enable Pod Security Admission & SCC



    • Epic
    • Resolution: Done
    • Critical
    • None
    • None
    • None
    • R&D: PSP++ & SCC
    • False
    • False
    • To Do
    • Impediment
    • 0
    • 0% 0%
    • Undefined


      Summary (PM+lead)

      Upstream introduces Pod Isolation Policies as a replacement of Pod Security Policy, following the sig-auth and sig-security discussions in https://docs.google.com/document/d/1dpfDF3Dk4HhbQe74AyCpzUYMjp4ZhiEgGXSMpVWLlqQ/edit?usp=sharing. OpenShift's Security Context Constraints (SCCs) must co-exist with the new upstream concept. This enhancement describes the plan to do so.

      Motivation (PM+lead)

      Upstream will agree on KEP 2582 in the next months and implement it maybe as an alpha in 1.22 (4.9) and target GA in 1.23 (4.10) or 1.24 (4.11). OpenShift has to work out how SCCs will co-exist and how OpenShift will make use of Pod Isolution Policies.

      Goals (lead)

      1. allow SCCs and PIPs to co-exist
      2. allow builds to work in a world with enabled PIPs

      Non-Goals (lead)

      1. deprecate SCCs
      2. remove SCCs


      1. enhancements of PIPs co-existance with SCCs

      Proposal (lead)

      User Stories (PM)

      Dependencies (internal and external, lead)

      Previous Work (lead)

      Open questions (lead)

      1. ...

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>



          Public project attachment banner

            context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
            current Project key: AUTH


              surbania Sergiusz Urbaniak
              sttts@redhat.com Stefan Schimanski
              Yash Tripathi Yash Tripathi (Inactive)
              0 Vote for this issue
              12 Start watching this issue