-
Epic
-
Resolution: Done
-
Major
-
None
-
None
-
Pod Security Admission Compatibility
-
True
-
-
False
-
Not Selected
-
NEW
-
Done
-
Impediment
-
NEW
-
0% To Do, 0% In Progress, 100% Done
Goals
- Ensure Pod Security Admission Policy compatibility with OCP 4.11
- Ensure Pod Security Admission Policy compatibility with OCP 4.12
Non-Goals
- Replace present pod security requirements of ES/Loki Operator/Operands with more restricted ones
Motivation
Moving forward with OCP 4.11 and 4.12 a new policy enforcement for pod admission is set to restricted in order to ensure platform-wide security standards on running containers (i.e. running as non-root, explicit seccomp profiles, etc.). The Log Storage components (Elasticsearch/Loki Operator & Operands) are as per state of the union (regarding manifests) in conflict being un-schedulable with the upcoming policies applied on the platform. Thus we need to make the required declarations in any manifests explicit as soon as possible
Alternatives
None.
Acceptance Criteria
- Elasticsearch Operator and Operands (Elasticsearch/Kibana/IndexManagement) are schedulable on clusters with OCP 4.11 and 4.12 Pod Admission Policy set to restricted.
- Loki Operator and Operands (Loki/Gateway/OPA-OpenShift) are schedulable on clusters with OCP 4.11 and 4.12 Pod Admission Policy set to restricted.
Risk and Assumptions
Documentation Considerations
Open Questions
Additional Notes
There are no Sub-Tasks for this issue.