Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-482

SCC pinning for all workloads in platform namespaces

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Auth - Sprint 249, Auth - Sprint 250

      When creating a custom SCC, it is possible to assign a priority that is higher than existing SCCs. This means that any SA with access to all SCCs might use the higher priority custom SCC, and this might mutate a workload in an unexpected/unintended way.

      To protect platform workloads from such an effect (which, combined with PSa, might result in rejecting the workload once we start enforcing the "restricted" profile) we must pin the required SCC to all workloads in platform namespaces (openshift-, kube-, default).

      Each workload should pin the SCC with the least-privilege, except workloads in runlevel 0 namespaces that should pin the "privileged" SCC (SCC admission is not enabled on these namespaces, but we should pin an SCC for tracking purposes).

      The following table tracks progress.

      = completed

      # namespace 4.17 4.16 4.15
      1 default      
      2 kube-node-lease      
      3 kube-public      
      4 kube-system      
      5 oc debug node pods #1763    
      6 openshift      
      7 openshift-apiserver      
      8 openshift-apiserver-operator   #573  
      9 openshift-authentication   #656  
      10 openshift-authentication-operator   #656  
      11 openshift-catalogd   #50  
      12 openshift-cloud-controller-manager      
      13 openshift-cloud-controller-manager-operator      
      14 openshift-cloud-credential-operator   #681  
      15 openshift-cloud-network-config-controller #2282    
      16 openshift-cloud-platform-infra      
      17 openshift-cluster-api      
      18 openshift-cluster-csi-drivers   #170 #459  
      19 openshift-cluster-machine-approver      
      20 openshift-cluster-node-tuning-operator   #968  
      21 openshift-cluster-olm-operator   #54  
      22 openshift-cluster-samples-operator   #535  
      23 openshift-cluster-storage-operator   #459 #196  
      24 openshift-cluster-version   #1038  
      25 openshift-config      
      26 openshift-config-managed      
      27 openshift-config-operator   #410  
      28 openshift-console #871    
      29 openshift-console-operator #871    
      30 openshift-console-user-settings      
      31 openshift-controller-manager   #336  
      32 openshift-controller-manager-operator   #336  
      33 openshift-dns      
      34 openshift-dns-operator      
      35 openshift-e2e-loki      
      36 openshift-etcd      
      37 openshift-etcd-operator      
      38 openshift-host-network      
      39 openshift-image-registry   #1008  
      40 openshift-infra      
      41 openshift-ingress   #1031  
      42 openshift-ingress-canary   #1031  
      43 openshift-ingress-operator   #1031  
      44 openshift-insights   #915  
      45 openshift-kni-infra      
      46 openshift-kube-apiserver      
      47 openshift-kube-apiserver-operator      
      48 openshift-kube-controller-manager      
      49 openshift-kube-controller-manager-operator      
      50 openshift-kube-proxy      
      51 openshift-kube-scheduler      
      52 openshift-kube-scheduler-operator      
      53 openshift-kube-storage-version-migrator   #107  
      54 openshift-kube-storage-version-migrator-operator   #107  
      55 openshift-machine-api #407 #315 #282 #1220 #73 #50  
      56 openshift-machine-config-operator #4219    
      57 openshift-manila-csi-driver      
      58 openshift-marketplace   #561  
      59 openshift-metallb-system      
      60 openshift-monitoring   #2335  
      61 openshift-multus      
      62 openshift-network-diagnostics   #2282  
      63 openshift-network-node-identity #2282    
      64 openshift-network-operator      
      65 openshift-node      
      66 openshift-nutanix-infra      
      67 openshift-oauth-apiserver   #656  
      68 openshift-openstack-infra      
      69 openshift-operator-controller   #100  
      70 openshift-operator-lifecycle-manager   #703  
      71 openshift-operators      
      72 openshift-ovirt-infra      
      73 openshift-ovn-kubernetes      
      74 openshift-platform-operators      
      75 openshift-route-controller-manager   #336  
      76 openshift-rukpak      
      77 openshift-sdn      
      78 openshift-service-ca   #235  
      79 openshift-service-ca-operator   #235  
      80 openshift-sriov-network-operator      
      81 openshift-user-workload-monitoring   #2335  
      82 openshift-vsphere-infra      

            rh-ee-irinis Ilias Rinis
            rh-ee-irinis Ilias Rinis
            Deepak Punia Deepak Punia
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: