openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

MIG-1691: PSA labels should be called out explicitely in the docs

Browse Source 
Signed-off-by: A.Arnold <anarnold@redhat.com>
This commit is contained in:
A.Arnold
2025-02-06 14:56:47 +00:00
committed by openshift-cherrypick-robot
parent 6c7e30e0f5
commit 019820c82e
3 changed files with 23 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
migration_toolkit_for_containers/mtc-direct-migration-requirements.adoc
View File

@@ -48,7 +48,12 @@ include::modules/configuring-retries-for-rsync.adoc[leveloffset=+3]
include::modules/ocp-running-rsync-root-or-non-root.adoc[leveloffset=+3]
To learn more about Pod Security Admission and setting values for labels, see xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-opting_understanding-and-managing-pod-security-admission[Controlling pod security admission synchronization].
include::modules/security-context-constraints-psa-about.adoc[leveloffset=+4]
[role="_additional-resources"]
.Additional resources
* xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-opting_understanding-and-managing-pod-security-admission[Controlling pod security admission synchronization].
include::modules/migration-rsync-migration-controller-root-non-root.adoc[leveloffset=+3]

2
modules/ocp-running-rsync-root-or-non-root.adoc
View File

@@ -6,7 +6,7 @@
[id="ocp-running-rsync-root-or-non-root_{context}"]
= Running Rsync as either root or non-root
{OCP} environments have the `PodSecurityAdmission` controller enabled by default. This controller requires cluster administrators to enforce Pod Security Standards by means of namespace labels. All workloads in the cluster are expected to run one of the following Pod Security Standard levels: `Privileged`, `Baseline` or `Restricted`. Every cluster has its own default policy set.
{OCP} environments have the `PodSecurityAdmission` controller enabled by default. This controller requires cluster administrators to enforce Pod Security Standards by means of namespace labels. All workloads in the cluster are expected to run one of the following Pod Security Standard levels: `privileged`, `baseline` or `restricted`. Every cluster has its own default policy set.
To guarantee successful data transfer in all environments, {mtc-first} 1.7.5 introduced changes in Rsync pods, including running Rsync pods as non-root user by default. This ensures that data transfer is possible even for workloads that do not necessarily require higher privileges. This change was made because it is best to run workloads with the lowest level of privileges possible.

16
modules/security-context-constraints-psa-about.adoc
View File

@@ -71,3 +71,19 @@ The following system namespaces are always set to the `privileged` pod security
* `kube-system`
You cannot change the pod security profile for these privileged namespaces.
.Example privileged namespace configuration
[source,yaml]
----
apiVersion: v1
kind: Namespace
metadata:
labels:
openshift.io/cluster-monitoring: "true"
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/warn: privileged
name: "<mig_namespace>"
# ...
----