Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-39115

[4.17.z] SCC pinning for all workloads in platform namespaces (openshift-authentication too privileged)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • 4.17.z
    • 4.15.z, 4.17.0, 4.16.z, 4.18.z
    • apiserver-auth
    • None
    • No
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

      As per https://issues.redhat.com/browse/OCPBUGS-34795?focusedId=24899358&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-24899358 , oauth-openshift pods should be pinned to "node-exporter" instead of "privileged". Because we should follow a principle that: grant necessary but least privilege instead of granting the most privileged privilege.

      4.17 ~ 4.15 all need reduce the pinning to "node-exporter".

      Backport of AUTH-482

              rh-ee-akramar Anya Kramar
              xxia-1 Xingxing Xia
              Xingxing Xia Xingxing Xia
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: