Uploaded image for project: 'OpenShift Authentication'
  1. OpenShift Authentication
  2. AUTH-482

SCC pinning for all workloads in platform namespaces

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Auth - Sprint 249, Auth - Sprint 250

      When creating a custom SCC, it is possible to assign a priority that is higher than existing SCCs. This means that any SA with access to all SCCs might use the higher priority custom SCC, and this might mutate a workload in an unexpected/unintended way.

      To protect platform workloads from such an effect (which, combined with PSa, might result in rejecting the workload once we start enforcing the "restricted" profile) we must pin the required SCC to all workloads in platform namespaces (openshift-, kube-, default).

      Each workload should pin the SCC with the least-privilege, except workloads in runlevel 0 namespaces that should pin the "privileged" SCC (SCC admission is not enabled on these namespaces, but we should pin an SCC for tracking purposes).

      The following tables track progress.

      Progress summary

      1. namespaces
      4.19 4.18 4.17 4.16 4.15 4.14
      monitored 82 82 82 82 82 82
      fix needed 68 68 68 68 68 68
      fixed 39 39 35 32 39 1
      remaining 29 29 33 36 29 67
      ~ remaining non-runlevel 8 8 12 15 8 46
      ~ remaining runlevel (low-prio) 21 21 21 21 21 21
      ~ untested 2 2 2 2 82 82

      Progress breakdown

      # namespace 4.19 4.18 4.17 4.16 4.15 4.14
      1 oc debug node pods #1763 #1816 #1818  
      2 openshift-apiserver-operator #573 #581  
      3 openshift-authentication #656 #675  
      4 openshift-authentication-operator #656 #675  
      5 openshift-catalogd #50 #58  
      6 openshift-cloud-credential-operator #681 #736  
      7 openshift-cloud-network-config-controller #2282 #2490 #2496    
      8 openshift-cluster-csi-drivers #6 #118 #524 #131 #306 #265 #75   #170 #459 #484  
      9 openshift-cluster-node-tuning-operator #968 #1117  
      10 openshift-cluster-olm-operator #54 n/a n/a
      11 openshift-cluster-samples-operator #535 #548  
      12 openshift-cluster-storage-operator #516   #459 #196 #484 #211  
      13 openshift-cluster-version       #1038 #1068  
      14 openshift-config-operator #410 #420  
      15 openshift-console #871 #908 #924  
      16 openshift-console-operator #871 #908 #924  
      17 openshift-controller-manager #336 #361  
      18 openshift-controller-manager-operator #336 #361  
      19 openshift-e2e-loki #56579 #56579 #56579 #56579  
      20 openshift-image-registry       #1008 #1067  
      21 openshift-ingress   #1032        
      22 openshift-ingress-canary   #1031        
      23 openshift-ingress-operator   #1031        
      24 openshift-insights #1033 #1041 #1049 #915 #967  
      25 openshift-kni-infra #4504 #4542 #4539 #4540  
      26 openshift-kube-storage-version-migrator #107 #112  
      27 openshift-kube-storage-version-migrator-operator #107 #112  
      28 openshift-machine-api #1308
      #1317 
      #1311 #407 #315 #282 #1220 #73 #50 #433 #332 #326 #1288 #81 #57 #443  
      29 openshift-machine-config-operator #4636 #4219 #4384 #4393  
      30 openshift-manila-csi-driver #234 #235 #236  
      31 openshift-marketplace #578 #561 #570
      32 openshift-metallb-system #238 #240 #241    
      33 openshift-monitoring #2298 #366 #2498   #2335 #2420  
      34 openshift-network-console #2545        
      35 openshift-network-diagnostics #2282 #2490 #2496    
      36 openshift-network-node-identity #2282 #2490 #2496    
      37 openshift-nutanix-infra #4504 #4539 #4540  
      38 openshift-oauth-apiserver #656 #675  
      39 openshift-openstack-infra #4504   #4539 #4540  
      40 openshift-operator-controller #100 #120  
      41 openshift-operator-lifecycle-manager #703 #828  
      42 openshift-route-controller-manager #336 #361  
      43 openshift-service-ca #235 #243  
      44 openshift-service-ca-operator #235 #243  
      45 openshift-sriov-network-operator #995 #999 #1003  
      46 openshift-user-workload-monitoring #2335 #2420  
      47 openshift-vsphere-infra #4504 #4542 #4539 #4540  
      48 (runlevel) kube-system            
      49 (runlevel) openshift-cloud-controller-manager            
      50 (runlevel) openshift-cloud-controller-manager-operator            
      51 (runlevel) openshift-cluster-api            
      52 (runlevel) openshift-cluster-machine-approver            
      53 (runlevel) openshift-dns            
      54 (runlevel) openshift-dns-operator            
      55 (runlevel) openshift-etcd            
      56 (runlevel) openshift-etcd-operator            
      57 (runlevel) openshift-kube-apiserver            
      58 (runlevel) openshift-kube-apiserver-operator            
      59 (runlevel) openshift-kube-controller-manager            
      60 (runlevel) openshift-kube-controller-manager-operator            
      61 (runlevel) openshift-kube-proxy            
      62 (runlevel) openshift-kube-scheduler            
      63 (runlevel) openshift-kube-scheduler-operator            
      64 (runlevel) openshift-multus            
      65 (runlevel) openshift-network-operator            
      66 (runlevel) openshift-ovn-kubernetes            
      67 (runlevel) openshift-sdn            
      68 (runlevel) openshift-storage            

              rh-ee-irinis Ilias Rinis
              rh-ee-irinis Ilias Rinis
              Deepak Punia Deepak Punia (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: