Loading...

XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Blocker
Fix Version/s: OADP 1.5.0
Affects Version/s: None
Component/s: ci, data-mover, fsbackup, nodeagent, OADP, restic
Labels:
- oadp_419_req
- triaged

Epic Name:
Support restricted Pod Security Standard
Story Points:
3
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
QEStatus:
ToDo
Hierarchy Progress Bar:

100% To Do, 0% In Progress, 0% Done
Target Version:

OADP 1.5.0

Cost of Delay:
0
WSJF:
0.000
Risk Probability:
Very Likely
Risk Score:
0

Workstream:

None

Root Cause:
Unset
Failure Category:
Unknown

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

Epic Goal

Why is this important?

It is currently expected that by OCP 4.19 (and current master branch 4-dev-preview) that Pod Security Standard set in OpenShift will be restricted from https://issues.redhat.com/browse/OCPSTRAT-487

Our procedure is the following: * we keep it on on master always

we disable it in the release branch until 4.19

with 4.19, we plan to enable it, God willing

Why do we do that?Such that people run into issues and fix them, before we turn it on.

We will need to adjust our products, documentation, and testing accordingly.

Mainly the changes will be related to limiting use of privileged containers across sample apps and the product.

TODOS:

Make privileged=true configurable in DPA for node agent. Privileged should be the default, but we need to be able to disable this from the DPA
1. confirm normal velero manifests backup with CSI/without volumes completes successfully in restricted policy.
Document that non-privileged node agent will work for datamover but not fs-backup
Document that shallow copy also won't work in restricted pod env
Document that to use fs-backup or shallow copy, the cluster security policy must be configured to not require restricted pods
modify sample apps to conform to the restricted policy.
set label
pod-security.kubernetes.io/enforce

Can test restricted Pod Security Standard today in current versions by enabling feature gate or use 4-dev-preview.

Pod security admission enforcement. Enables the restricted enforcement mode for pod security admission. Instead of only logging a warning, pods are rejected if they violate pod security standards. (OpenShiftPodSecurityAdmission)

Scenarios

Dependencies (internal and external)

User Story:
Foundation for product enhancement.

As a <type of user>
I want <some goal>
so that <value/some reason>

Acceptance Criteria: (Definition of Done)
Defines the scope, what to satisfy before the story is proclaimed as completed. Defines pass/fail criteria.

Verify that…

Functional Acceptance Criteria

Non - Functional Acceptance Criteria

depends on

OADP-5104 Ensure OADP 1.5 install, CSI and DM backups work in pod restricted cluster

is blocked by

OADP-5141 Make OADP work in restricted Pod Security Standard environment

is depended on by

OADP-5157 OADP-1.5.0

OADP-5239 Restore Partially Fails Due to container 'restore-wait' Violating PodSecurityContext Constraints

relates to

AUTH-262 Pod Security Admission Integration - Restricted Enforcement

In Progress

OADP-552 Validate OADP with 4.11 and Pod Security Admissions

Closed

OCPSTRAT-487 Pod Security Admission Integration - Restricted Enforcement

In Progress

links to

https://redhat-internal.slack.com/archives/C0144ECKUJ0/p1729699511729779?thread_ts=1729699499.772989&cid=C0144ECKUJ0

openshift/oadp-operator#1555: sample-apps: handle restricted podsecurityadmission default in 4-dev-preview/4.19

(2 relates to, 2 links to)

Assignee:: Wes Hayutin

Reporter:: Tiger Kaovilai

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/10/14 1:48 PM

Updated:: 2024/11/19 5:42 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates