podsecurity: enforce privileged for openshift-dns namespace

[s-urbaniak]

Starting with OpenShift 4.10 we are introducing PodSecurity admission (https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement).

Currently, all pods are marked as privileged, however, over time we want to enforce at least baseline, admirably restricted as default. In order not to break control plane workloads this allows workloads in openshift-dns namespace to run privileged pods.

See openshift/enhancements#899 for more details (and excuse the eventual consistency of updates).

/cc @stlaz

[aojea]

/assign @Miciah

[s-urbaniak]

/cc @deads2k

[candita]

You will need to add the generated files to satisfy the verify test.

[candita]

Could you add a comment for these new labels?

[s-urbaniak]

@candita fixed, ptal :-)

[candita]

numerous ContainerExit code/137

/test e2e-upgrade

[candita]

Currently, all pods are marked as privileged, however, over time we want to enforce at least baseline, admirably restricted as default. In order not to break control plane workloads this allows workloads in openshift-dns namespace to run privileged pods.

Just checking, lest I miss an opportunity to learn new jargon, is "admirably restricted" supposed to be "at most restricted"?

[candita]

Suggested change

	# It uses host networking, host path volumes, and is a privileged.
	# It uses host networking, host path volumes, and is privileged.

[candita]

Just a grammar nit, and need to wait for successful CI test, but otherwise
/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: candita, s-urbaniak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [candita]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest-required

Please review the full test history for this PR and help us cut down flakes.

[Miciah]

@s-urbaniak,

Currently, all pods are marked as privileged, however, over time we want to enforce at least baseline, admirably restricted as default. In order not to break control plane workloads this allows workloads in openshift-dns namespace to run privileged pods.

The openshift-dns namespace specifies openshift.io/run-level: "0" to skip admission entirely so as to avoid a cyclic dependency between DNS and admission; see 27a4f94 by @deads2k. Is the intent eventually to remove openshift.io/run-level: "0" from the namespace? If so, how will we prevent a cyclic dependency without specifying run-level? I don't see this addressed in https://github.com/openshift/enhancements/blob/master/enhancements/authentication/pod-security-admission.md.