Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-487

Pod Security Admission Integration - Restricted Enforcement


    • False
    • Hide


    • False
    • OCPSTRAT-28Secure the Platform
    • 0% To Do, 67% In Progress, 33% Done
    • 0
    • 0

      Upstream K8s deprecated PodSecurityPolicy and replaced it with a new built-in admission controller that enforces the Pod Security Standards (See here for the motivations for deprecation).] There is an OpenShift-specific dedicated pod admission system called Security Context Constraints. Our aim is to keep the Security Context Constraints pod admission system while also allowing users to have access to the Kubernetes Pod Security Admission. 

      With OpenShift 4.11, we are turned on the Pod Security Admission with global "privileged" enforcement. Additionally we set the "restricted" profile for warnings and audit. This configuration made it possible for users to opt-in their namespaces to Pod Security Admission with the per-namespace labels. We also introduced a new mechanism that automatically synchronizes the Pod Security Admission "warn" and "audit" labels.

      With OpenShift 4.15, we intend to move the global configuration to enforce the "restricted" pod security profile globally. With this change, the label synchronization mechanism will also switch into a mode where it synchronizes the "enforce" Pod Security Admission label rather than the "audit" and "warn". 

            atelang@redhat.com Anjali Telang
            atelang@redhat.com Anjali Telang
            Xingxing Xia
            Deepak Punia Deepak Punia
            Stephanie Stout Stephanie Stout
            David Eads David Eads
            Marina Kalinin Marina Kalinin
            0 Vote for this issue
            34 Start watching this issue