-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
podsecurity: enforce privileged for openshift-cluster-csi-drivers namespace #218
podsecurity: enforce privileged for openshift-cluster-csi-drivers namespace #218
Conversation
/cc @deads2k |
@@ -10,3 +10,6 @@ metadata: | |||
workload.openshift.io/allowed: "management" | |||
labels: | |||
openshift.io/cluster-monitoring: "true" | |||
pod-security.kubernetes.io/enforce: privileged | |||
pod-security.kubernetes.io/audit: privileged | |||
pod-security.kubernetes.io/warn: privileged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For historical reasons, the Manila CSI driver is deployed to a different namespace than the other CSI drivers (assets/csidriveroperators/manila/01_namespace.yaml). That driver also has a component that needs to be privileged.
Could you add these labels to that namespace as well? Note that that NS is created by this operator, not CVO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bertinatto added the labels, thank you!
f04c691
to
2a3fbb6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bertinatto, s-urbaniak The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
@s-urbaniak: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest-required Please review the full test history for this PR and help us cut down flakes. |
Starting with OpenShift 4.10 we are introducing PodSecurity admission (https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement).
Currently, all pods are marked as privileged, however, over time we want to enforce at least baseline, admirably restricted as default. In order not to break control plane workloads this allows workloads in
openshift-cluster-csi-drivers
namespace to run privileged pods.See openshift/enhancements#899 for more details (and excuse the eventual consistency of updates).
/cc @stlaz