Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-413

Disable pod security label syncer for namespaces modified by the customer

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Undefined
    • openshift-4.14
    • None
    • None
    • Auth - Sprint 240

    Description

      What

      Don't enforce system defaults on a namespace's pod security labels, if it is managed by a user.

      Why

      If the managedFields (https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management) indicate that a user changed the pod security labels, we should not enforce system defaults.

      A user might not be aware that the label syncer can be turned off and tries to manually change the state of the pod security profiles.

      This fight between a user and the label syncer can cause violations.

      Attachments

        Activity

          People

            slaznick@redhat.com Stanislav Laznicka
            kostrows@redhat.com Krzysztof Ostrowski
            Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: