Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2747

Add Pod Security Admission compatibility for restricted policy

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Major Major
    • Logging 5.5.0
    • None
    • Log Storage
    • None
    •  Pod Security Admission Compatibility
    • True
    • Hide
      This epic was automatically marked as blocked because the resolution for a subtask has been set to Won't Do (or Won't Fix), indicating a functional team cannot support this epic. If you believe this occurred in error, please reach out to the functional team for help in getting this work into their queue.
      Show
      This epic was automatically marked as blocked because the resolution for a subtask has been set to Won't Do (or Won't Fix), indicating a functional team cannot support this epic. If you believe this occurred in error, please reach out to the functional team for help in getting this work into their queue.
    • False
    • Not Selected
    • NEW
    • Done
    • Impediment
    • NEW
    • 0% To Do, 0% In Progress, 100% Done

      Goals

      • Ensure Pod Security Admission Policy compatibility with OCP 4.11
      • Ensure Pod Security Admission Policy compatibility with OCP 4.12

      Non-Goals

      • Replace present pod security requirements of ES/Loki Operator/Operands with more restricted ones

      Motivation

      Moving forward with OCP 4.11 and 4.12 a new policy enforcement for pod admission is set to restricted in order to ensure platform-wide security standards on running containers (i.e. running as non-root, explicit seccomp profiles, etc.). The Log Storage components (Elasticsearch/Loki Operator & Operands) are as per state of the union (regarding manifests) in conflict being un-schedulable with the upcoming policies applied on the platform. Thus we need to make the required declarations in any manifests explicit as soon as possible

      Alternatives

      None.

      Acceptance Criteria

      • Elasticsearch Operator and Operands (Elasticsearch/Kibana/IndexManagement) are schedulable on clusters with OCP 4.11 and 4.12 Pod Admission Policy set to restricted.
      • Loki Operator and Operands (Loki/Gateway/OPA-OpenShift) are schedulable on clusters with OCP 4.11 and 4.12 Pod Admission Policy set to restricted.

      Risk and Assumptions

      Documentation Considerations

      Open Questions

      Additional Notes

        1.
        Docs Tracker Sub-task Closed Undefined Unassigned
        2.
        PX Tracker Sub-task Closed Undefined Unassigned
        3.
        QE Tracker Sub-task Closed Undefined Unassigned
        4.
        TE Tracker Sub-task Closed Undefined Unassigned

            Unassigned Unassigned
            ptsiraki@redhat.com Periklis Tsirakidis
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: