openshift-docs/modules/microshift-security-context-constraints-opting.adoc

// Module included in the following assemblies:
//
// * microshift_running_apps/microshift-authentication.adoc

:_mod-docs-content-type: PROCEDURE
[id="microshift-security-context-constraints-opting_{context}"]
= Controlling pod security admission synchronization

You can enable automatic pod security admission synchronization for most namespaces.

System defaults are not enforced when the `security.openshift.io/scc.podSecurityLabelSync` field is empty or set to `false`. You must set the label to `true` for synchronization to occur.

[IMPORTANT]
====
Namespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. These namespaces include:

* `default`
* `kube-node-lease`
* `kube-system`
* `kube-public`
* `openshift`
* All system-created namespaces that are prefixed with `openshift-`, except for `openshift-operators`
By default, all namespaces that have an `openshift-` prefix are not synchronized. You can enable synchronization for any user-created [x-]`openshift-*` namespaces. You cannot enable synchronization for any system-created [x-]`openshift-*` namespaces, except for `openshift-operators`.

If an Operator is installed in a user-created `openshift-*` namespace, synchronization is turned on by default after a cluster service version (CSV) is created in the namespace. The synchronized label inherits the permissions of the service accounts in the namespace.
====

.Procedure

* To enable pod security admission label synchronization in a namespace, set the value of the `security.openshift.io/scc.podSecurityLabelSync` label to `true`.
+
Run the following command:
+
[source,terminal]
----
$ oc label namespace <namespace> security.openshift.io/scc.podSecurityLabelSync=true
----

[NOTE]
====
You can use the --overwrite flag to reverse the effects of the pod security label synchronization in a namespace.
====