-
Story
-
Resolution: Done
-
Undefined
-
None
-
compliance-operator-1.0, file-integrity-operator-1.0
-
None
-
None
-
2
-
False
-
None
-
False
Affects both operators.
Pod Security Admission will be set to enforcing restricted in 4.12. This requires certain namespace labels that we can control if we deploy from a manifest, but that is a problem for OLM. OLM has a label-syncer controller that can adjust for non- openshift prefixed namespaces, but for 4.12 will implement a special label to allow openshift prefixed namespaces to be adjusted by the syncer. See doc [0]
The label will be something like
security.openshift.io/scc.podSecurityLabelSync=true (is this the right key/value?).
We might need to coordinate with OLM to get our namespaces included with this label.