Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-1447

PSP enforcement OLM namespace labels for 4.12

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • compliance-operator-1.0, file-integrity-operator-1.0
    • None
    • None
    • 2
    • False
    • None
    • False

      Affects both operators.

      Pod Security Admission will be set to enforcing restricted in 4.12. This requires certain namespace labels that we can control if we deploy from a manifest, but that is a problem for OLM. OLM has a label-syncer controller that can adjust for non- openshift prefixed namespaces, but for 4.12 will implement a special label to allow openshift prefixed namespaces to be adjusted by the syncer. See doc [0]

      The label will be something like
      security.openshift.io/scc.podSecurityLabelSync=true (is this the right key/value?).
      We might need to coordinate with OLM to get our namespaces included with this label.

      [0] https://docs.google.com/document/d/1th0wv-sVKHykciyN2Rr-kolIE0JVNAOJPHMBZ2jaQRI/edit#heading=h.pgsgozmol6pj

            Unassigned Unassigned
            rhn-support-mrogers Matt Rogers (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: