Uploaded image for project: 'OpenShift Over the Air'
  1. OpenShift Over the Air
  2. OTA-784

Check PodSecurityViolation behavior on 4.11 to 4.12 updates

    XMLWordPrintable

Details

    • Spike
    • Resolution: Done
    • Critical
    • None
    • None
    • Update Monitoring
    • 3
    • False
    • None
    • False
    • OTA 225

    Description

      4.12.0-ec.3 included cluster-kube-apiserver-operator#1369 tightening pod/container security admission from "warn" to "reject" (I think?). We should test the UX by:

      1. Launching a 4.11 cluster.
      2. Installing a violating workload.
      3. Confirm that PodSecurityViolation starts firing.
      4. Request an update to 4.12.0-ec.3.
      5. See how the workload handles the end-of-update rolling machine-config reboots.

      If the workload continues to have non-fatal admission warnings, that suggests that I'm misunderstanding cluster-kube-apiserver-operator#1369.

      If the workload fails to restart now that the warnings are fatal, we might want a new admin-ack on 4.11.z, similar to the Kube-API-removal OCPBUGS-1251, for "If your cluster, or any idle workloads or tools use...", so that admins are not surprised if non-compliant workloads break post-update.

      Attachments

        Issue Links

          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-262 Pod Security Admission Integration - Restricted Enforcement

          • Critical - To be worked on immediately following BLOCKER issues.
          • In Progress

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. ENTMQBR-6717 Add support for "Pod Security Admission"

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Resolved
          links to

          GitHub openshift/openshift-docs#51163: OSDOCS-3574: Adding preparing to update to 4.12 docs

          Activity

            People

              trking W. Trevor King
              trking W. Trevor King
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: