Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: openshift-4.14
Affects Version/s: None
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
PSa enforcement deliverables in 4.14
Feature Link:
OCPSTRAT-746 - PSa enforcement deliverables in 4.14
Intelligence Requested:
Market:

Sprint:
Auth - Sprint 240

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

What

Exclude runtime zero namespaces from pod security admission.

Why

After investigations on managed clusters with regards to the default and kube-system, we found out that the violating workloads are not belonging to OpenShift.

On kube-system, cloud providers run their workloads: https://redhat-internal.slack.com/archives/CB48XQ4KZ/p1689699300541729?thread_ts=1689256615.032909&cid=CB48XQ4KZ.

On default a lot of workloads are being created, when the customer forgot to set a dedicated target namespace.

Adding those namespaces to the ocp namespaces isn't feasible as they are special namespaces (runtime level zero namespaces).

is related to

OCPBUGS-21776 [HyperShift] Runtime zero namespaces are not excluded from pod security in guest cluster

Closed

Assignee:: Stanislav Láznička

Reporter:: Krzysztof Ostrowski

QA Contact:: Giriyamma Karagere Ramaswamy (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2023/07/28 4:55 PM

Updated:: 2023/10/17 11:13 AM

Resolved:: 2023/08/16 7:45 AM

Details

Description

What

Why

Attachments

Issue Links

Activity

People

Dates

Hide