Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-6717

Add support for "Pod Security Admission"

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Blocker Blocker
    • None
    • AMQ 7.10.0.OPR.1.GA
    • operator
    • None

      Pod security change is coming in OCP 4.11 and 4.12 and Kube 1.25

      Enabling pod security admission (https://kubernetes.io/docs/concepts/security/pod-security-admission/) using the “restricted” profile by default (https://kubernetes.io/docs/concepts/security/pod-security-standards/) for OpenShift 4.11.

      Note that this will be a WARN in OCP 4.11 and set to ENFORCING in OCP 4.12

      It will do this via changes to the SCCs in use:

      Prior to 4.11 - no platform SCCs met the “restricted” PSa profile
      Added three new SCCs:
      restricted-v2, hostnetwork-v2, nonroot-v2
      These:
      Drop ALL container capabilities
      Default seccomp profile to “runtime/default”
      Don’t allow running binaries with SUID bits in containers

      Likely need to see about moving to the restricted-v2 profile and ensuring everything still works.

      Also need to update the bundle com.redhat.openshift.versions to ensure we extend the range to include 4.12

              gaohoward Howard Gao
              rhn-support-rkieley Roderick Kieley
              Roman Vais Roman Vais (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: