Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4792

Add standard label to all OCP platform-related workloads



    • Feature Request
    • Resolution: Done
    • Normal
    • None
    • None
    • None
    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%


      1. Proposed title of this feature request

      Add standard label to all OCP platform-related workloads to support ACS report filtering.

      2. What is the nature and description of the request?

      A standard label identifying all OCP "platform-related" workloads as such should be implemented in support of creating a method by which ACS vulnerability reports for tenant namespaces can be filtered to exclude those particular workloads.

      3. Why does the customer need this? (List the business requirements here)

      This is a large OCP and ACS customer in the public sector space. The OCP "platform" is ATO'd separately from each tenant application running on it. Those tenant applications each require their own separate ATOs. The problem occurs when tenant namespaces are scanned for CVEs. Those scans contain CVEs in platform-related deployments running in those tenant namespaces, such as gitlab runners and oauth-proxy sidecar containers – CVEs that had already been approved under the platform ATO but are now included as part of the tenant's scan and making the tenant responsible for them. By allowing ACS vulnerability reports of tenant namespaces and deployments to exclude a specific/standard label denoting a particular workload as being platform-related, the tenant CVE scans could be limited to just vulnerabilities associated with their particular applications.

      4. List any affected packages or components.

      All platform-related OCP deployments (core components, operators, etc).




            gausingh@redhat.com Gaurav Singh
            rh-ee-cwigal Chad Wigal
            0 Vote for this issue
            3 Start watching this issue