From f3a80a02335b41b84570aed819c977c1a29070e2 Mon Sep 17 00:00:00 2001 From: Andrea Hoffer Date: Mon, 7 Nov 2022 11:04:45 -0500 Subject: [PATCH] OSDOCS-4462: Adding notice of future plans to enable PSA restricted enforcement --- release_notes/ocp-4-12-release-notes.adoc | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/release_notes/ocp-4-12-release-notes.adoc b/release_notes/ocp-4-12-release-notes.adoc index 4febbe203a16..5bae29ff284f 100644 --- a/release_notes/ocp-4-12-release-notes.adoc +++ b/release_notes/ocp-4-12-release-notes.adoc @@ -559,6 +559,26 @@ The Cloud Credential Operator utility (`ccoctl`) now creates secrets that use re With this release, when you xref:../installing/installing_gcp/uninstalling-cluster-gcp.adoc#cco-ccoctl-deleting-sts-resources_uninstalling-cluster-gcp[delete GCP resources with the Cloud Credential Operator utility], you must specify the directory containing the files for the component `CredentialsRequest` objects. +[discrete] +[id="ocp-4-12-psa-restricted-enforcement"] +=== Future restricted enforcement for pod security admission + +Currently, pod security violations are shown as warnings and logged in the audit logs, but do not cause the pod to be rejected. + +Global restricted enforcement for pod security admission is currently planned for the next minor release of {product-title}. When this restricted enforcement is enabled, pods with pod security violations will be rejected. + +To prepare for this upcoming change, ensure that your workloads match the pod security admission profile that applies to them. Workloads that are not configured according to the enforced security standards defined globally or at the namespace level will be rejected. The `restricted-v2` SCC admits workloads according to the link:https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted[Restricted] Kubernetes definition. + +If you are receiving pod security violations, see the following resources: + +* See xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-alert-eval_understanding-and-managing-pod-security-admission[Identifying pod security violations] for information about how to find which workloads are causing pod security violations. + +* See xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-synchronization_understanding-and-managing-pod-security-admission[Security context constraint synchronization with pod security standards] to understand when pod security admission label synchronization is performed. Pod security admission labels are not synchronized in certain situations, such as the following situations: +** The workload is running in a system-created namespace that is prefixed with `openshift-`. +** The workload is running on a pod that was created directly without a pod controller. + +* If necessary, you can set a custom admission profile on the namespace or pod by setting the `pod-security.kubernetes.io/enforce` label. + [id="ocp-4-12-deprecated-removed-features"] == Deprecated and removed features