Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-6717

Add support for "Pod Security Admission"

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Blocker
    • None
    • AMQ 7.10.0.OPR.1.GA
    • operator
    • None

    Description

      Pod security change is coming in OCP 4.11 and 4.12 and Kube 1.25

      Enabling pod security admission (https://kubernetes.io/docs/concepts/security/pod-security-admission/) using the “restricted” profile by default (https://kubernetes.io/docs/concepts/security/pod-security-standards/) for OpenShift 4.11.

      Note that this will be a WARN in OCP 4.11 and set to ENFORCING in OCP 4.12

      It will do this via changes to the SCCs in use:

      Prior to 4.11 - no platform SCCs met the “restricted” PSa profile
      Added three new SCCs:
      restricted-v2, hostnetwork-v2, nonroot-v2
      These:
      Drop ALL container capabilities
      Default seccomp profile to “runtime/default”
      Don’t allow running binaries with SUID bits in containers

      Likely need to see about moving to the restricted-v2 profile and ensuring everything still works.

      Also need to update the bundle com.redhat.openshift.versions to ensure we extend the range to include 4.12

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ENTMQIC-3327 Add support for "Pod Security Admission"

          • Critical - To be worked on immediately following BLOCKER issues.
          • New
          is related to

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-7921 AMQ 7.10 and 7.11 installation fails on Microshift 4.12.10 but works on 4.12.6

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Backlog

          Task - Represents a small unit of work that is not end-user facing. AUTH-312 Review telemetry data to determine if restricted enforcement will break customers

          • Undefined - Priority not specified.
          • Closed

          Spike - Represents a research-related task. OTA-784 Check PodSecurityViolation behavior on 4.11 to 4.12 updates

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. ENTMQBR-4679 Adding support to define PodSecurityContext

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. ENTMQBR-7462 [QE] RE-test Pod Security Admissions feature when this feature is enabled by OCP and enforced

          • Undefined - Priority not specified.
          • Backlog

          Task - Represents a small unit of work that is not end-user facing. ENTMQBR-8558 Make sure the operator is aligned with latest PSA requirement

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Dev Complete

          Task - Represents a small unit of work that is not end-user facing. ENTMQBR-7386 Document AMQ Broker Operator behavior wih regard to Pod Security Admission

          • Undefined - Priority not specified.
          • Closed
          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Page Loading...

          Activity

            People

              gaohoward Howard Gao
              rhn-support-rkieley Roderick Kieley
              Roman Vais Roman Vais
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: