Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Labels:
- no-qe

Story Points:
3
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Platform Operators - Phase 0
Feature Link:
OCPPLAN-9555 - Platform Operators

Sprint:
[OLM-224] FBC/PSA - Pikachu
RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

In a recent effort to update our systems to respect and work with PSA changes, we are updating openshift-* namespaces to have two labels set:

{{pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: <kubernetes version used in payload>}}

To do this we just need to add the labels to the repo's namespace manifest and make sure it generates to the manifests directory. The only complex thing here may come from how we will keep the enforce-version up-to-date, so we should look into that.

For more information, reference the official documentation for this subject:

https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/

Open Questions:

Can we set the enforce-version field to 'latest' so we don't need to update it per-minor-version release?
Is there any openshift policy for the enforce-version key?

AC:

Update the o/platform-operators repository and add the relevant pod security labels to the namespace manifests

blocks

OPRUN-2668 Add the PO/rukpak components to the OCP payload

Closed

links to

config,manifests: Add PSA configuration for the CPOM deployment in o/platform-operators

feat: introduce the PSA changes from upstream RukPak in o/platform-operators

QE Tracker

Closed

Jian Zhang

Assignee:: Anik Bhattacharjee

Reporter:: Tyler Slaton (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2022/08/17 9:04 PM

Updated:: 2022/09/02 3:55 PM

Resolved:: 2022/09/02 3:55 PM

Details

Description

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates