Skip to content

Commit 8b0d2bb

Browse files
ibihimibihim
committed
podsecurityreadinesscontroller: ignore restricted SCCs, drop debugging logs
1 parent 10fcc51 commit 8b0d2bb

File tree

1 file changed

+10
-10
lines changed

1 file changed

+10
-10
lines changed

pkg/operator/podsecurityreadinesscontroller/classification.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -36,8 +36,6 @@ func (c *PodSecurityReadinessController) classifyViolatingNamespace(ctx context.
3636
return nil
3737
}
3838

39-
// TODO@ibihim: increase log level
40-
klog.InfoS("Checking for user violations", "namespace", ns.Name, "enforceLevel", enforceLevel)
4139
isUserViolation, err := c.isUserViolation(ctx, ns, enforceLevel)
4240
if err != nil {
4341
klog.V(2).ErrorS(err, "Error checking user violations", "namespace", ns.Name)
@@ -46,11 +44,7 @@ func (c *PodSecurityReadinessController) classifyViolatingNamespace(ctx context.
4644
return err
4745
}
4846

49-
// TODO@ibihim: increase log level
50-
klog.InfoS("User violation check result", "namespace", ns.Name, "isUserViolation", isUserViolation)
5147
if isUserViolation {
52-
// TODO@ibihim: increase log level
53-
klog.InfoS("Adding namespace to user SCC violations", "namespace", ns.Name)
5448
conditions.addViolatingUserSCC(ns)
5549
return nil
5650
}
@@ -87,10 +81,16 @@ func (c *PodSecurityReadinessController) isUserViolation(ctx context.Context, ns
8781

8882
var userPods []corev1.Pod
8983
for _, pod := range allPods.Items {
90-
// TODO@ibihim: we should exclude Pod that have restricted-v2.
91-
// restricted-v2 SCCs are allowed for all system:authenticated. ServiceAccounts
92-
// are able to use that, but they are not part of the group. So restricted-v2
93-
// will always result in user.
84+
if strings.HasPrefix(pod.Annotations[securityv1.ValidatedSCCAnnotation], "restricted-v") {
85+
// restricted-v2 is allowed for all system:authenticated, also for ServiceAccounts.
86+
// But ServiceAccounts are not part of the group. So restricted-v2 will always
87+
// result in user-based SCC. So we skip them as the user-based SCCs cause harm
88+
// if they need a higher privileged than restricted.
89+
// We watch for any restricted version above the first one. We might introduce
90+
// restricted-v3 for user namespaces.
91+
continue
92+
}
93+
9494
if pod.Annotations[securityv1.ValidatedSCCSubjectTypeAnnotation] == "user" {
9595
userPods = append(userPods, pod)
9696
}

0 commit comments

Comments
 (0)