podsecurity: enforce privileged for openshift-cluster-csi-drivers namespace #218
Conversation
|
/cc @deads2k |
| @@ -10,3 +10,6 @@ metadata: | |||
| workload.openshift.io/allowed: "management" | |||
| labels: | |||
| openshift.io/cluster-monitoring: "true" | |||
| pod-security.kubernetes.io/enforce: privileged | |||
| pod-security.kubernetes.io/audit: privileged | |||
| pod-security.kubernetes.io/warn: privileged | |||
There was a problem hiding this comment.
For historical reasons, the Manila CSI driver is deployed to a different namespace than the other CSI drivers (assets/csidriveroperators/manila/01_namespace.yaml). That driver also has a component that needs to be privileged.
Could you add these labels to that namespace as well? Note that that NS is created by this operator, not CVO.
There was a problem hiding this comment.
@bertinatto added the labels, thank you!
s-urbaniak
force-pushed
the
pod-security
branch
from
f04c691
to
2a3fbb6
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bertinatto, s-urbaniak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
@s-urbaniak: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
Starting with OpenShift 4.10 we are introducing PodSecurity admission (https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement).
Currently, all pods are marked as privileged, however, over time we want to enforce at least baseline, admirably restricted as default. In order not to break control plane workloads this allows workloads in
openshift-cluster-csi-driversnamespace to run privileged pods.See openshift/enhancements#899 for more details (and excuse the eventual consistency of updates).
/cc @stlaz