-
Notifications
You must be signed in to change notification settings - Fork 1.8k
ROX-30372: Update docs for admission controller changes #100022
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
kcarmichael08
wants to merge
1
commit into
openshift:rhacs-docs-main
Choose a base branch
from
kcarmichael08:ROX-30372-admission-controller-changes
base: rhacs-docs-main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+213
−421
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * operating/manage_security_policies/use-admission-controller-enforcement.adoc | ||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="admission-controller-failure-policy-changing_{context}"] | ||
| = Configuring the admission controller failure policy on an existing cluster | ||
|
|
||
| [role="_abstract"] | ||
| You can configure the admission controller failure policy for an existing cluster. This setting determines whether the API server request is allowed (fail open) or blocked (fail closed) if an error or timeout happens in the {product-title-short} validating webhook evaluation. | ||
|
|
||
| . For a cluster that was installed by using the Operator, in the `SecuredCluster` custom resource (CR), edit the `admissionControl.failurePolicy` parameter to `Ignore` to fail open, or `Fail` to fail closed. | ||
| . For a cluster that was installed by using Helm, in the `values-public.yaml` file, set the `admissionControl.failurePolicy` value to parameter to `Ignore` to fail open, or `Fail` to fail closed. Then then run the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| helm upgrade -n stackrox \ | ||
| stackrox-secured-cluster-services rhacs/secured-cluster-services \ | ||
| --reuse-values \ | ||
| -f /config/yaml/values-public.yaml \ | ||
| -f /config/yaml/values-private.yaml | ||
| ---- | ||
| . For clusters installed by another method, you can use the {product-title-short} portal to edit the admission controller failure policy. You cannot edit Operator- or Helm-managed clusters by using the portal. Perform these steps: | ||
| .. In the {product-title-short} portal, select *Platform Configuration* -> *Clusters*. | ||
| .. Click *Secure a cluster* -> *Legacy installation method*. | ||
| .. In the *Static configuration (requires deployment)* section, in the *Admission controller failure policy* field, select one of the following options: | ||
| * *Fail open*: If an error or timeout occurs when a workload admission or update request is being evaluated by the validating webhook, the request should be allowed to reach the API server. | ||
| * *Fail closed*: If an error or timeout occurs when a workload admission or update request is being evaluated by the validating webhook, the request should not be allowed to reach the API server, but should be blocked. | ||
| .. Select *Next*. | ||
| .. Select *Finish*. Because this is a change to the static configuration, you must redeploy the cluster for your changes to take effect. | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * operating/manage_security_policies/use-admission-controller-enforcement.adoc | ||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="admission-controller-failure-policy_{context}"] | ||
| = Configuring the admission controller failure policy during installation | ||
|
|
||
| [role="_abstract"] | ||
| You can configure the admission controller failure policy when you install a cluster. This setting determines whether the API server request is allowed (fail open) or blocked (fail closed) if an error or timeout happens in the {product-title-short} validating webhook evaluation. | ||
|
|
||
| . When installing a cluster by using the Operator, Helm, or `roxctl` CLI methods, follow the instructions in "Installing {product-title-short} on Red Hat OpenShift" and "Installing {product-title-short} on other platforms" to configure this parameter during installation. | ||
| . When installing a cluster by using the legacy installation method, follow these steps: | ||
| .. In the {product-title-short} portal, select *Platform Configuration* -> *Clusters*. | ||
| .. Select an existing cluster from the list. | ||
| .. In the *Static configuration (requires deployment)* section, in the *Admission controller failure policy* field, select one of the following options: | ||
| * *Fail open*: If an error or timeout occurs when a workload admission or update request is being evaluated by the validating webhook, the request should be allowed to reach the API server. | ||
| * *Fail closed*: If an error or timeout occurs when a workload admission or update request is being evaluated by the validating webhook, the request should not be allowed to reach the API server, but should be blocked. | ||
| .. Select *Next*. | ||
| .. Select *Finish*. Because this is a change to the static configuration, you must redeploy the cluster for your changes to take effect. | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,12 +1,43 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * operating/manage_security_policies/about-security-policies.adoc | ||
| // * operating/manage_security_policies/use-admission-controller-enforcement.adoc | ||
|
|
||
| :_mod-docs-content-type: CONCEPT | ||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="bypass-admission-controller-enforcement_{context}"] | ||
| = Bypassing admission controller enforcement | ||
|
|
||
| [role="_abstract"] | ||
| To bypass the admission controller, add the `admission.stackrox.io/break-glass` annotation to your configuration YAML. | ||
| Bypassing the admission controller triggers a policy violation which includes deployment details. | ||
| Red{nbsp}Hat recommends providing an issue-tracker link or some other reference as the value of this annotation so that others can understand why you bypassed the admission controller. | ||
| To configure a deployment to bypass the admission controller, you must set the `admission.stackrox.io/break-glass` annotation on the deployment. Bypassing the admission controller triggers a violation of the "StackRox Emergency Deployment Annotation" policy, which includes deployment details. | ||
|
|
||
| To help others understand why you bypassed the admission controller, use an issue-tracker link or some other reference as the value of this annotation. | ||
|
|
||
| .Prerequisites | ||
|
|
||
| * You have enabled the ability to bypass the admission controller on the secured cluster by setting the `admissionControl.bypass` parameter to `BreakGlassAnnotation`. | ||
|
|
||
| .Procedure | ||
|
|
||
| . Create a deployment YAML that includes the `admission.stackrox.io/break-glass` annotation, as shown in the following example: | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| annotations: | ||
| "admission.stackrox.io/break-glass": "jira-3423" | ||
| creationTimestamp: "2025-03-07T03:18:21Z" | ||
| generation: 1 | ||
| labels: | ||
| app: hello-node | ||
| name: hello-node | ||
| namespace: test-bypass-adm | ||
| ... | ||
| ---- | ||
|
|
||
| where: | ||
|
|
||
| "admission.stackrox.io/break-glass": "jira-3423":: | ||
|
|
||
| Provides a change control reference or relevant explanation for why the admission controller was bypassed. | ||
|
|
This file was deleted.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,16 +1,30 @@ | ||
| // Module included in the following assemblies: | ||
| // | ||
| // * operating/manage_security_policies/about-security-policies.adoc | ||
| // * operating/manage_security_policies/use-admission-controller-enforcement.adoc | ||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="disable-admission-controller-enforcement_{context}"] | ||
| = Disabling admission controller enforcement | ||
| = Disabling admission controller enforcement on a cluster | ||
|
|
||
| [role="_abstract"] | ||
| You can disable admission controller enforcement from the *Clusters* view on the {product-title} ({product-title-short}) portal. | ||
| You can disable admission controller enforcement on a cluster when installing {product-title-short}. For clusters that you did not install by using the Operator or Helm, you can disable admission controller enforcement from the *Clusters* view on the {product-title} ({product-title-short}) portal. | ||
|
|
||
| .Procedure | ||
| . In the {product-title-short} portal, select *Platform Configuration* -> *Clusters*. | ||
| . Select an existing cluster from the list. | ||
| . Turn off the *Enforce on Object Creates* and *Enforce on Object Updates* toggles in the *Dynamic Configuration* section. | ||
| . Select *Next*. | ||
| . Select *Finish*. | ||
| . For a cluster that was installed by using the Operator, in the `SecuredCluster` custom resource (CR), edit the `admissionControl.enforcement` parameter to `Disabled`. | ||
| . For a cluster that was installed by using Helm, in the `values-public.yaml` file, set the `admissionControl.enforce` value to `false` and run the following command: | ||
| + | ||
| [source,terminal] | ||
| ---- | ||
| helm upgrade -n stackrox \ | ||
| stackrox-secured-cluster-services rhacs/secured-cluster-services \ | ||
| --reuse-values \ | ||
| -f /config/yaml/values-public.yaml \ | ||
| -f /config/yaml/values-private.yaml | ||
| ---- | ||
| . For clusters that are not managed by the Operator or Helm, you can use the {product-title-short} portal to change this setting: | ||
| .. In the {product-title-short} portal, select *Platform Configuration* -> *Clusters*. | ||
| .. Select an existing cluster from the list. | ||
| .. In the *Dynamic configuration* section, in the *Admission controller enforcement behavior* field, select one of the following options: | ||
| * Enforce policies: The admission controller enforces policies that are configured for enforcement by rejecting the workload admission or update attempt. | ||
| * No enforcement: Even if enforcement is configured for a policy, if this option is selected, the admission controller does not enforce the policy and allows workload admission attempts or updates that violate the policy. | ||
| .. Select *Next*. | ||
| .. Select *Finish*. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In https://issues.redhat.com/browse/ROX-28753 Sakshi says this is not the recommended way to turn off enforcement. Is that correct? She wanted it noted in the docs. @clickboo She says:
We can disable admission controller enforcement from the Clusters view in the RHACS portal, which is NOT a recommended method.