Uploaded image for project: 'OpenShift Cloud'
  1. OpenShift Cloud
  2. OCPCLOUD-1305

Evaluate and adjust Cluster Machine Approver podsecurity as appropriate

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • None
    • False
    • None
    • None
    • None
    • None

      User Story

      As a developer I want to ensure that the Cluster Machine Approver is not running with escalated privileges so that it's security footprint is minimized.

       

      Background

      In 4.10, OpenShift will be using Pod Security Admission Control . To support this the namespace manifests for the various OpenShift operators are being modified to include the "privileged" level of security for core operators.

      During the discussion on this PR to the CMA , agarcial@redhat.com noted that the CMA does not necessarily need this level and that we should scope it down.

      Steps

      • Evaluate if the CMA can run in a more restrictive mode
      • Adjust the namespace manifest if necessary

      Stakeholders

      • Cloud Infra Team
      • OpenShift Eng

      Definition of Done

      • CMA namespace adjusted if necessary
      • Docs
      • N/A
      • Testing
      • Our normal E2E tests should suffice, we could add a test to ensure that the namespace has the proper pod security level but we should check to see if there are any tests that have been created for 4.10.

              Unassigned Unassigned
              mimccune@redhat.com Michael McCune
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: