Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-487

Pod Security Admission Integration - Restricted Enforcement

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 67% In Progress, 33% Done
    • 0

      Upstream K8s deprecated PodSecurityPolicy and replaced it with a new built-in admission controller that enforces the Pod Security Standards (See here for the motivations for deprecation).] There is an OpenShift-specific dedicated pod admission system called Security Context Constraints. Our aim is to keep the Security Context Constraints pod admission system while also allowing users to have access to the Kubernetes Pod Security Admission. 

      With OpenShift 4.11, we are turned on the Pod Security Admission with global "privileged" enforcement. Additionally we set the "restricted" profile for warnings and audit. This configuration made it possible for users to opt-in their namespaces to Pod Security Admission with the per-namespace labels. We also introduced a new mechanism that automatically synchronizes the Pod Security Admission "warn" and "audit" labels.

      With OpenShift 4.15, we intend to move the global configuration to enforce the "restricted" pod security profile globally. With this change, the label synchronization mechanism will also switch into a mode where it synchronizes the "enforce" Pod Security Admission label rather than the "audit" and "warn". 

              atelang@redhat.com Anjali Telang
              atelang@redhat.com Anjali Telang
              Xingxing Xia
              Krzysztof Ostrowski Krzysztof Ostrowski
              Xingxing Xia Xingxing Xia
              Stephanie Stout Stephanie Stout
              David Eads David Eads
              Anjali Telang Anjali Telang
              Marina Kalinin Marina Kalinin
              Votes:
              0 Vote for this issue
              Watchers:
              40 Start watching this issue

                Created:
                Updated: