Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-15565

Use 'baseline' instead of privileged for control plane namespace pod security admission

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Undefined Undefined
    • None
    • 4.13, 4.12, 4.14
    • HyperShift
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Important
    • No
    • None
    • Rejected
    • Hypershift Sprint 241
    • 1
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      Currently hypershift sets the pod security admission level of control plane namespaces as `privileged`. The reason for this is that the router we create in that namespace needs privilege escalation. However, this is achievable with a policy of `baseline`.

      Version-Release number of selected component (if applicable):

      all

      How reproducible:

      always

      Steps to Reproduce:

      1. Create a hosted cluster
2. Inspect labels of hosted control plane namespace
3.

      Actual results:

      pod-security.kubernetes.io/enforce is set to 'privileged'

      Expected results:

      pod-security.kubernetes.io/enforce is set to 'baseline'

      Additional info:

       

              pstefans@redhat.com Patryk Stefanski
              cewong@redhat.com Cesar Wong
              None
              None
              Jie Zhao Jie Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: