From f963db51800ca495c02de0f87f79165bbeddf3f7 Mon Sep 17 00:00:00 2001 From: Andrea Hoffer Date: Mon, 20 Mar 2023 16:04:52 -0400 Subject: [PATCH] OSDOCS-5459: Adding note of plans for PSA restricted enforcement --- release_notes/ocp-4-13-release-notes.adoc | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/release_notes/ocp-4-13-release-notes.adoc b/release_notes/ocp-4-13-release-notes.adoc index e0ea5dc2d8..7b9a0829e4 100644 --- a/release_notes/ocp-4-13-release-notes.adoc +++ b/release_notes/ocp-4-13-release-notes.adoc @@ -457,12 +457,32 @@ For more information, see the xref:../operators/operator-reference.adoc#cluster- [id="ocp-4-13-mco-certificate-changes"] ==== The MCD now syncs kubelet CA certificates on paused pools -Previously, the Machine Config Operator (MCO) updated the kubelet client certificate authority (CA) certificate, `/etc/kubernetes/kubelet-ca.crt`, as a part of the regular machine config update. Starting with {product-title} (product-version}, the `kubelet-ca.crt` no longer gets updated as a part of the regular machine config update. As a result of this change, the Machine Config Daemon (MCD) automatically keeps the `kubelet-ca.crt` up to date whenever changes to the certificate occur. +Previously, the Machine Config Operator (MCO) updated the kubelet client certificate authority (CA) certificate, `/etc/kubernetes/kubelet-ca.crt`, as a part of the regular machine config update. Starting with {product-title} (product-version}, the `kubelet-ca.crt` no longer gets updated as a part of the regular machine config update. As a result of this change, the Machine Config Daemon (MCD) automatically keeps the `kubelet-ca.crt` up to date whenever changes to the certificate occur. Also, if a machine config pool is paused, the MCD is now able to push the newly rotated certificates to those nodes. A new rendered machine config, which contains the changes to the certificate, is generated for the pool, like in previous versions. The pool will indicate that an update is required; this condition will be removed in a future release of this product. However, because the certificate is updated separately, it is safe to keep the pool paused, assuming there are no further updates. Also, the `MachineConfigControllerPausedPoolKubeletCA` alert has been removed, because the nodes should always have the most up-to-date `kubelet-ca.crt`. +[discrete] +[id="ocp-4-13-psa-restricted-enforcement"] +=== Future restricted enforcement for pod security admission + +Currently, pod security violations are shown as warnings and logged in the audit logs, but do not cause the pod to be rejected. + +Global restricted enforcement for pod security admission is currently planned for the next minor release of {product-title}. When this restricted enforcement is enabled, pods with pod security violations will be rejected. + +To prepare for this upcoming change, ensure that your workloads match the pod security admission profile that applies to them. Workloads that are not configured according to the enforced security standards defined globally or at the namespace level will be rejected. The `restricted-v2` SCC admits workloads according to the link:https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted[Restricted] Kubernetes definition. + +If you are receiving pod security violations, see the following resources: + +* See xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-alert-eval_understanding-and-managing-pod-security-admission[Identifying pod security violations] for information about how to find which workloads are causing pod security violations. + +* See xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-synchronization_understanding-and-managing-pod-security-admission[Security context constraint synchronization with pod security standards] to understand when pod security admission label synchronization is performed. Pod security admission labels are not synchronized in certain situations, such as the following situations: +** The workload is running in a system-created namespace that is prefixed with `openshift-`. +** The workload is running on a pod that was created directly without a pod controller. + +* If necessary, you can set a custom admission profile on the namespace or pod by setting the `pod-security.kubernetes.io/enforce` label. + [id="ocp-4-13-deprecated-removed-features"] == Deprecated and removed features