Skip to content

etcd-backup: modify README due to PSA#87

Open
ibihim wants to merge 1 commit intoredhat-cop:masterfrom
ibihim:PSA
Open

etcd-backup: modify README due to PSA#87
ibihim wants to merge 1 commit intoredhat-cop:masterfrom
ibihim:PSA

Conversation

@ibihim
Copy link

@ibihim ibihim commented Jan 18, 2024

What is this PR About?

Discourages customers to use openshift-prefixed-namespaces.

Creating an OpenShift pre-fixed namespace will break in the future, if the namespace is not labeled manually.
With the introduction of PodSecurityAdmission (PSA) namespaces will have the ability to define the security level namespace-wide.
As SCCs are more fine-grained, we defined a label syncer controller that takes care of customer workloads and sets the PSA values accordingly.
This doesn't happen for OpenShift pre-fixed namespaces as we expect that every Team working on OpenShift is defining their security posture consciously.

In addition, Helm doesn't support to create namespaces with labels.

How do we test this?

kubectl get namespace system-etcd-backup -o jsonpath='{.metadata.labels}' | grep 'pod-security.kubernetes.io/'

Should return labels that are set to privileged.

cc: @redhat-cop/casl

@ibihim
etcd-backup: modify README due to PSA
208144f 
OpenShift manages customer workloads with the label syncer. Such that it
is taken care on behalf of the user.
For OpenShift namespaces, this is not true. It is expected that every
team decides consciously their security posture. It is not expected that
customer use that kind of namespaces!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ibihim