PSA: add restricted labels to openshift-gitops namespace #674
Conversation
|
Hi @ibihim. Thanks for your PR. I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/retest-required |
|
@ibihim: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
It is recommended to pin the SCC required for the Pods. It can occur that a customer specifies a SCC that has a higher priority than required-v2, which could lead to failing workloads in the namespace.
ibihim
force-pushed
the
pod-security-admission-restricted
branch
from
1b96e1c to
de49bcf
Compare
|
/ok-to-test |
|
/lgtm |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: iam-veeramalla The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test v4.13-e2e |
|
/retest |
|
/test v4.14-e2e |
|
/retest |
|
/lgtm |
…loper#674) * controllers: add psa labels to ns * controllers: add SCC pinning to Pods It is recommended to pin the SCC required for the Pods. It can occur that a customer specifies a SCC that has a higher priority than required-v2, which could lead to failing workloads in the namespace. --------- Co-authored-by: Siddhesh Ghadi <[email protected]> Co-authored-by: Abhishek Veeramalla <[email protected]>
| // Set pod security policy, which is required for namespaces pre-fixed with openshift | ||
| // as the pod security label syncer doesn't set them on OCP namespaces. | ||
| objectMeta.Labels["pod-security.kubernetes.io/enforce"] = "restricted" | ||
| objectMeta.Labels["pod-security.kubernetes.io/enforce-version"] = "v1.29" |
There was a problem hiding this comment.
Hi @ibihim, just trying to understand this change. Was there any special reason to set it to v1.29 and not latest?
|
Hi, yes. latest is better. at the moment in time, we used a fixed version in openshift, but we moved now ahead to latest. |
|
Thanks for the confirmation @ibihim . Will update it to latest. |
What type of PR is this?
/kind enhancement
What does this PR do / why we need it:
Add pod security policy restricted to the openshift-gitops namespace.
openshift-prefixed namespaces are not managed by the pod security policy sync controller, which sets pod security labels automatically for the users. It is expected that openshift namespaces consciously pick their security stance.
This means, that if pod security labels are not set, the defaults from the global config are being applied, which are set to restricted.
I am adding the SCC restricted-v2, such that the necessary SecurityContext should be set by SCC mutation.
It is related to the PR to upstream: argoproj-labs/argocd-operator#1288.
Have you updated the necessary documentation?
Which issue(s) this PR fixes:
Fixes #?
Test acceptance criteria:
How to test changes / Special notes to the reviewer:
openshift-gitopsnamespace should have the labels set in this PR.