Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5088

A new upgrade option is required during upgrade that will change all namespaces to DEFAULT pod security policy value

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • RHEL CoreOS
    • None
    • False
    • None
    • False
    • Not Selected

      Problem Description

      • Installed as OpenShift 4.11 and above: The default pod security policy (PSP) changed from "baseline" to "restricted" in these clusters. This stricter policy offers better security by limiting pod capabilities and privileges.
      • OpenShift 4.10 (or lower) upgrades: Clusters upgraded from 4.10 (or lower)retain the previous "baseline" PSP for the namespace. This preserves backward compatibility and avoids breaking existing deployments that might rely on the less restrictive settings.

      The customer mentioned that there are 70 clusters built on 4.10 and upgraded to 4.11, it's quite tedious to update all the namespaces to restricted SCC manually.

      The consultant wants that there should be an option provided during the upgrade, when passed during the upgrade will change all namespaces to DEFAULT pod security policy value and if not passed will preserve the pod security value of the existing cluster during the upgrade.

              rhn-support-mrussell Mark Russell
              sasakshi@redhat.com Sakshi sakshi
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: