Details
-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
8
-
False
-
None
-
False
-
OCPSTRAT-487 - Pod Security Admission Integration - Restricted Enforcement
-
Auth - Sprint 249, Auth - Sprint 250
Description
When creating a custom SCC, it is possible to assign a priority that is higher than existing SCCs. This means that any SA with access to all SCCs might use the higher priority custom SCC, and this might mutate a workload in an unexpected/unintended way.
To protect platform workloads from such an effect (which, combined with PSa, might result in rejecting the workload once we start enforcing the "restricted" profile) we must pin the required SCC to all workloads in platform namespaces (openshift-, kube-, default).
Each workload should pin the SCC with the least-privilege, except workloads in runlevel 0 namespaces that should pin the "privileged" SCC (SCC admission is not enabled on these namespaces, but we should pin an SCC for tracking purposes).
The following table tracks progress:
| namespace | in review | merged |
|---|---|---|
| openshift-apiserver-operator |  PR |
|
| openshift-authentication | PR |
|
| openshift-authentication-operator | PR |
|
| openshift-cloud-controller-manager | ||
| openshift-cloud-controller-manager-operator | ||
| openshift-cloud-credential-operator | PR |
|
| openshift-cloud-network-config-controller | PR |
|
| openshift-cluster-csi-drivers | PR1, PR2 |
|
| openshift-cluster-machine-approver | ||
| openshift-cluster-node-tuning-operator | PR |
|
| openshift-cluster-samples-operator | PR |
|
| openshift-cluster-storage-operator | PR1, PR2 |
|
| openshift-cluster-version | PR |
|
| openshift-config-operator | PR |
|
| openshift-console | PR |
|
| openshift-console-operator | PR |
|
| openshift-controller-manager | PR |
|
| openshift-controller-manager-operator | PR |
|
| openshift-dns | ||
| openshift-dns-operator | ||
| openshift-etcd | ||
| openshift-etcd-operator | ||
| openshift-image-registry | PR |
|
| openshift-ingress | PR |
|
| openshift-ingress-canary | PR |
|
| openshift-ingress-operator | PR |
|
| openshift-insights | PR |
|
| openshift-kube-apiserver | ||
| openshift-kube-apiserver-operator | ||
| openshift-kube-controller-manager | ||
| openshift-kube-controller-manager-operator | ||
| openshift-kube-scheduler | ||
| openshift-kube-scheduler-operator | ||
| openshift-kube-storage-version-migrator | PR |
|
| openshift-kube-storage-version-migrator-operator | PR |
|
| openshift-machine-api | PR1, PR2, PR3, PR4, PR5, PR6 |
|
| openshift-machine-config-operator | PR |
|
| openshift-marketplace | ||
| openshift-monitoring | ||
| openshift-multus | ||
| openshift-network-diagnostics | PR |
|
| openshift-network-node-identity | PR |
|
| openshift-network-operator | ||
| openshift-oauth-apiserver | PR |
|
| openshift-operator-lifecycle-manager | PR |
|
| openshift-ovn-kubernetes | ||
| openshift-route-controller-manager | PR |
|
| openshift-service-ca | PR |
|
| openshift-service-ca-operator | PR |
|
Attachments
Issue Links
- relates to
-
OCPBUGS-20192 openshift.io/scc: restricted-readonly when setting up router sharding
-
- Closed
-
- links to