Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-2

Enable Pod Security Admission & SCC


    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None
    • R&D: PSP++ & SCC
    • False
    • False
    • To Do
    • Impediment
    • Undefined

      Summary (PM+lead)

      Upstream introduces Pod Isolation Policies as a replacement of Pod Security Policy, following the sig-auth and sig-security discussions in https://docs.google.com/document/d/1dpfDF3Dk4HhbQe74AyCpzUYMjp4ZhiEgGXSMpVWLlqQ/edit?usp=sharing. OpenShift's Security Context Constraints (SCCs) must co-exist with the new upstream concept. This enhancement describes the plan to do so.

      Motivation (PM+lead)

      Upstream will agree on KEP 2582 in the next months and implement it maybe as an alpha in 1.22 (4.9) and target GA in 1.23 (4.10) or 1.24 (4.11). OpenShift has to work out how SCCs will co-exist and how OpenShift will make use of Pod Isolution Policies.

      Goals (lead)

      1. allow SCCs and PIPs to co-exist
      2. allow builds to work in a world with enabled PIPs

      Non-Goals (lead)

      1. deprecate SCCs
      2. remove SCCs


      1. enhancements of PIPs co-existance with SCCs

      Proposal (lead)

      User Stories (PM)

      Dependencies (internal and external, lead)

      Previous Work (lead)

      Open questions (lead)

      1. ...

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

        There are no Sub-Tasks for this issue.

            surbania Sergiusz Urbaniak (Inactive)
            sttts@redhat.com Stefan Schimanski (Inactive)
            Yash Tripathi Yash Tripathi (Inactive)
            0 Vote for this issue
            12 Start watching this issue