-
Feature Request
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
-
None
1. Proposed title of this feature request
Enforce RuntimeDefault Seccomp Profiles for prometheus-k8s via nonroot-v2 SCC Migration
2. What is the nature and description of the request?
Nature: Security Hardening and Platform Standardization.
Description: Currently, the cluster-monitoring-operator (CMO) deploys the prometheus-k8s StatefulSet with a hardcoded requirement for the legacy nonroot Security Context Constraint (SCC). This legacy SCC predates the Kubernetes Pod Security Admission (PSA) standards and does not permit or enforce modern security fields like seccompProfile.
When a cluster utilizes security webhooks or internal policies to inject RuntimeDefault seccomp profiles, the legacy nonroot SCC rejects the pod creation with a Forbidden: seccomp may not be set error.
The request is to update the CMO and the Prometheus Pod Template to:
- Change the SCC binding from nonroot to nonroot-v2.
- Explicitly define spec.securityContext.seccompProfile.type: RuntimeDefault in the Prometheus and sidecar container definitions.
- Ensure allowPrivilegeEscalation: false is explicitly set to comply with the v2 / baseline PSA profile.{}
3. Why does the customer need this? (List the business requirements here)
- Compliance with Corporate Security Mandates: Many enterprise customers use Mutating Webhooks to enforce RuntimeDefault seccomp profiles across the cluster. The current Monitoring stack blocks these mandates, forcing customers to either disable security features or manually grant overly-permissive SCCs (like anyuid) to core components, which violates their "Zero Trust" architecture.
- Alignment with OpenShift Roadmap: OpenShift is moving toward PSA-aligned SCCs (restricted-v2, nonroot-v2). Keeping the monitoring stack on legacy nonroot creates technical debt and prevents the cluster from being fully "PSA-ready" without exceptions.
- Operational Stability: Currently, if a customer upgrades their security posture, the Monitoring stack breaks (StatefulSet FailedCreate). Moving to nonroot-v2 ensures that the platform's own monitoring services are compatible with modern, hardened Kubernetes environments.
- Reduction in Manual Intervention: Customers expect "Managed Services" like the Cluster Monitoring Operator to work out-of-the-box. Requiring manual SCC manipulation to fix seccomp errors undermines the value of a managed operator.
4. List any affected packages or components.
OpenShift Monitoring: Prometheus-k8s
