ROX-30372: Update docs for admission controller changes #100022
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@kcarmichael08: This pull request references ROX-30372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
added
the
size/M
kcarmichael08
added
rhacs-docs-4.9
RHACS
kcarmichael08
force-pushed
the
ROX-30372-admission-controller-changes
branch
from
61c2867 to
660b10b
Compare
openshift-ci
bot
added
the
size/M
kcarmichael08
force-pushed
the
ROX-30372-admission-controller-changes
branch
from
660b10b to
e225770
Compare
openshift-ci
bot
added
size/L
kcarmichael08
force-pushed
the
ROX-30372-admission-controller-changes
branch
from
e225770 to
459b305
Compare
|
@kcarmichael08: This pull request references ROX-30372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
kcarmichael08
force-pushed
the
ROX-30372-admission-controller-changes
branch
from
459b305 to
6c3789a
Compare
|
@kcarmichael08: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
@kcarmichael08: This pull request references ROX-30372 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
| = Bypassing admission controller enforcement | ||
|
|
||
| [role="_abstract"] | ||
| To bypass the admission controller, add the `admission.stackrox.io/break-glass` annotation to your configuration YAML. |
There was a problem hiding this comment.
This reads incorrectly to me. The annotation is used on the deployment that will then be excluded from admission controller based detection and enforcement. The configuration of whether the annotation will be honored or not by the admission controller is in the cluster configuration.
| . In the {product-title-short} portal, select *Platform Configuration* -> *Clusters*. | ||
| . Select an existing cluster from the list. | ||
| . In the *Dynamic configuration* section, in the *Admission controller enforcement behavior* field, select one of the following options: | ||
| * Enforce policies: If enforcement is configured for a policy, the admission controller enforces the policy by rejecting the deployment or update attempt. |
There was a problem hiding this comment.
enforces policies that are configured for enforcement
| . Select an existing cluster from the list. | ||
| . In the *Dynamic configuration* section, in the *Admission controller enforcement behavior* field, select one of the following options: | ||
| * Enforce policies: If enforcement is configured for a policy, the admission controller enforces the policy by rejecting the deployment or update attempt. | ||
| * No enforcement: Even if enforcement is configured for a policy, if this option is selected, the admission controller does not enforce the policy and allows a deployment or update to the cluster that violates the policy conditions. |
There was a problem hiding this comment.
allows workload admission attempts or updates that violate the policy
| . Disable enforcement on the default policies that you do not want to enforce. For example: | ||
| ** In the policies view, click the *Kubernetes Actions: Exec into Pod* policy. Selection *Actions* -> *Disable policy*. | ||
| . In the {product-title-short} portal, go to *Platform Configuration* -> *Policy Management*. Depending on the policy, do one of the following steps: | ||
| * For default policies, you cannot edit enforcement options. If you do not want the policy enforced, select *Actions* -> *Disable policy*. |
There was a problem hiding this comment.
If you do not want the policy to be evaluated against workload operations, select ....
| * For default policies, you cannot edit enforcement options. If you do not want the policy enforced, select *Actions* -> *Disable policy*. | ||
| * For custom policies, to disable enforcement, do these steps: | ||
| ** Select *Actions* -> *Edit policy*. | ||
| ** Go to *Policy behavior* -> *Actions* and in the *Enforcement* section, select *Inform*. If the policy is violated, a policy violation is included in the violations list, but the admission controller does not prevent deployment or updates that violate the policy. |
There was a problem hiding this comment.
I would remove the "he admission controller does not prevent deployment or updates that violate the policy."
(given even sensor cannot enforce on such policies)
There was a problem hiding this comment.
Also recommend using: workload admission and updates (since we are consciously steering clear of "deployment" verbiage even in the UI)
| * Enforce policies: If enforcement is configured for a policy, the admission controller enforces the policy by rejecting the deployment or update attempt. | ||
| * No enforcement: Even if enforcement is configured for a policy, if this option is selected, the admission controller does not enforce the policy and allows a deployment or update to the cluster that violates the policy conditions. | ||
| . Select *Next*. | ||
| . Select *Finish*. {product-title-short} automatically synchronizes the Sensor and applies the changes. |
There was a problem hiding this comment.
Automatically synchronizes to admission controller, not sensor.
| . Select *Next*. | ||
| . Select *Finish*. {product-title-short} automatically synchronizes the Sensor and applies the changes. | ||
|
|
||
| .Verification |
There was a problem hiding this comment.
We can get enforcement configuration behavior from the ValidatingWebhookConfiguration k8s resource. The configuration settings are available in admission controller logs.
| * You cannot use admission controller enforcement for the following items: | ||
| ** Any runtime behavior, such as processes | ||
| ** Any policies based on port exposure | ||
| * The admission controller might fail if there are connectivity issues between the Kubernetes or {ocp} API server and {product-title-short} Sensor. |
There was a problem hiding this comment.
This needs looking into for correctness. I don't think admission controller fails if there are connectivity issues between api server and sensor
| ** Any runtime behavior, such as processes | ||
| ** Any policies based on port exposure | ||
| * The admission controller might fail if there are connectivity issues between the Kubernetes or {ocp} API server and {product-title-short} Sensor. | ||
| To resolve this issue, delete the `ValidatingWebhookConfiguration` object as described in "Disabling admission controller enforcement". |
There was a problem hiding this comment.
There are several things which are incorrect in this section, and I believe talking through them might be enable us to resolve this quicker
|
|
||
| include::modules/disable-associated-policies.adoc[leveloffset=+2] | ||
|
|
||
| //this module should be removed since this option no longer exists, I think - isn't it replaced by Clusters -> Admission controller enforcement behavior -> Disabled ? |
There was a problem hiding this comment.
It is not replaced. Enforcement is separate from webhook enabled or not. Enforcement requires the webhook enabled (which is now not configurable, and always enabled), but enforcement is optional
| .Procedure | ||
| . In the {product-title-short} portal, select *Platform Configuration* -> *Clusters*. | ||
| . Select an existing cluster from the list. | ||
| . In the *Dynamic configuration* section, in the *Admission controller enforcement behavior* field, select one of the following options: |
There was a problem hiding this comment.
You can disable above
select one of the following options here
@clickboo is the existing wording correct that customers can change it here versus see the result of change via Helm or Operator?
There was a problem hiding this comment.
If this is indeed meant for Helm or operator clusters the wording is incorrect.
| //Also add something about how it needs to be configured when installing the Operator, if you have chosen an Operator install method | ||
| * For new clusters installed by using the Operator, Helm, or `roxctl` CLI methods, follow the instructions in "Installing {product-title-short} on Red Hat OpenShift" and "Installing {product-title-short} on other platforms". | ||
| * For new clusters created in the {product-title-short} portal, select *Secure a cluster* and use the legacy installation method. | ||
| * For existing clusters, unless the cluster was installed by using the Operator, you can edit the cluster in the *Clusters* view in the {product-title-short} portal. You cannot edit Operator-managed clusters by using the portal. |
There was a problem hiding this comment.
Is this technically true, if you download an updated Helm chart from portal, and then apply it?
What is pro and con to rewrite specifically for clusters originally created via portal?
Because if I understand correctly, for Helm (or roxctl to get Helm chart) customers can make changes independent of portal, and will prefer to for gitops.
|
|
||
| [role="_abstract"] | ||
| To bypass the admission controller, add the `admission.stackrox.io/break-glass` annotation to your configuration YAML. | ||
| Bypassing the admission controller triggers a policy violation which includes deployment details. |
There was a problem hiding this comment.
Accidentally deleted your comment @clickboo but this is existing text - I don't understand what it means either. Should we remove?
Version(s): 4.9+
Issue
Links to docs previews:
QE review:
Additional information:
Related PRs:
#100082 - Installation changes