Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: openshift-4.14
Affects Version/s: None
Labels:
None

Work Type:
Strategic Product Work
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
PSa enforcement deliverables in 4.14
Feature Link:
OCPSTRAT-746 - PSa enforcement deliverables in 4.14
Intelligence Requested:
Market:

Sprint:
Auth - Sprint 240

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

What

Don't enforce system defaults on a namespace's pod security labels, if it is managed by a user.

Why

If the managedFields (https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management) indicate that a user changed the pod security labels, we should not enforce system defaults.

A user might not be aware that the label syncer can be turned off and tries to manually change the state of the pod security profiles.

This fight between a user and the label syncer can cause violations.

links to

openshift/cluster-policy-controller#127: AUTH-413: ps syncer: only sync labels if noone else is managing them

Assignee:: Stanislav Láznička (Inactive)

Reporter:: Krzysztof Ostrowski

QA Contact:: Giriyamma Karagere Ramaswamy (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2023/07/28 5:04 PM

Updated:: 2024/11/24 12:39 AM

Resolved:: 2023/08/17 7:27 AM