-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
Problem Description
- Installed as OpenShift 4.11 and above: The default pod security policy (PSP) changed from "baseline" to "restricted" in these clusters. This stricter policy offers better security by limiting pod capabilities and privileges.
- OpenShift 4.10 (or lower) upgrades: Clusters upgraded from 4.10 (or lower)retain the previous "baseline" PSP for the namespace. This preserves backward compatibility and avoids breaking existing deployments that might rely on the less restrictive settings.
The customer mentioned that there are 70 clusters built on 4.10 and upgraded to 4.11, it's quite tedious to update all the namespaces to restricted SCC manually.
The consultant wants that there should be an option provided during the upgrade, when passed during the upgrade will change all namespaces to DEFAULT pod security policy value and if not passed will preserve the pod security value of the existing cluster during the upgrade.