-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podsecurity: enforce privileged for openshift-dns namespace #298
podsecurity: enforce privileged for openshift-dns namespace #298
Conversation
/assign @Miciah |
/cc @deads2k |
You will need to add the generated files to satisfy the |
@@ -10,3 +10,6 @@ metadata: | |||
openshift.io/run-level: "0" | |||
# allow openshift-monitoring to look for ServiceMonitor objects in this namespace | |||
openshift.io/cluster-monitoring: "true" | |||
pod-security.kubernetes.io/enforce: privileged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a comment for these new labels?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@candita fixed, ptal :-)
97e9684
to
610d889
Compare
/test e2e-upgrade |
Just checking, lest I miss an opportunity to learn new jargon, is "admirably restricted" supposed to be "at most restricted"? |
@@ -10,3 +10,8 @@ metadata: | |||
openshift.io/run-level: "0" | |||
# allow openshift-monitoring to look for ServiceMonitor objects in this namespace | |||
openshift.io/cluster-monitoring: "true" | |||
# allow node-resolver daemonset to pass baseline pod security admission. | |||
# It uses host networking, host path volumes, and is a privileged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# It uses host networking, host path volumes, and is a privileged. | |
# It uses host networking, host path volumes, and is privileged. |
Just a grammar nit, and need to wait for successful CI test, but otherwise |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: candita, s-urbaniak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
3 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
The |
Starting with OpenShift 4.10 we are introducing PodSecurity admission (https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement).
Currently, all pods are marked as privileged, however, over time we want to enforce at least baseline, admirably restricted as default. In order not to break control plane workloads this allows workloads in
openshift-dns
namespace to run privileged pods.See openshift/enhancements#899 for more details (and excuse the eventual consistency of updates).
/cc @stlaz