Details
-
Feature Request
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
False
-
-
False
-
Not Selected
-
ToDo
-
0
-
0%
-
0
-
0
-
Very Likely
-
0
-
None
-
Unset
-
Unknown
Description
Proposed title of this feature request
Allow disabling "pod-security.kubernetes.io/enforce: privileged" for OADP-protected namespaces
What is the nature and description of the request?
Customer is reviewing the security of their platform and has noticed that in the namespace in which a `DataProtectionApplication` is created (using the OADP Operator on OpenShift) is managed by the operator, the namespace is then statically set to the privileged PSA profile:
{{kind: Namespace
apiVersion: v1
metadata:
[...]
labels:
[...]
pod-security.kubernetes.io/enforce: privileged}}
The customer would like to disable this behaviour as the customer does not use Restic or Data Mover.
Why does the customer need this? (List the business requirements here)
Customer would like to enforce the principle-of-least-privileges. The customer does not use Restic or Data Mover and therefore would not need this permission on a protected namespace.
Having more fine-grained privileges would increase the perceived security of the platform.
List affected component/s.
OADP Operator
Potentially blocking velero issues: