Merge pull request #50310 from bergerhoffer/psa-clarifications

Clarifying the behavior of PSA sync

Author: bergerhoffer

modules/security-context-constraints-psa-opting.adoc

@@ -8,18 +8,18 @@
 
 You can enable or disable automatic pod security admission synchronization for most namespaces.
 
-[NOTE]
+[IMPORTANT]
 ====
-By default, user-created namespaces that have the prefix `openshift-` have pod security admission label synchronization disabled.
+Namespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. These namespaces include:
 
-Namespaces that the installer creates have pod security admission label synchronization disabled permanently. These namespaces include:
-
-* All namespaces that are prefixed with `openshift-`, except for `openshift-operators`
 * `default`
 * `kube-node-lease`
 * `kube-system`
 * `kube-public`
 * `openshift`
+* All system-created namespaces that are prefixed with `openshift-`, except for `openshift-operators`
+
+By default, all namespaces that have an `openshift-` prefix are not synchronized. You can enable synchronization for any user-created [x-]`openshift-*` namespaces. You cannot enable synchronization for any system-created [x-]`openshift-*` namespaces, except for `openshift-operators`.
 ====
 
 .Procedure

modules/security-context-constraints-psa-synchronization.adoc

@@ -10,26 +10,13 @@
 
 In addition to the global pod security admission control configuration, a controller exists that applies pod security admission control `warn` and `audit` labels to namespaces according to the SCC permissions of the service accounts that are in a given namespace.
 
-The controller examines `ServiceAccount` object permissions to use security context constraints in each namespace. Security context constraints (SCCs) are mapped to pod security profiles based on their field values; the controller uses these translated profiles. Pod security admission `warn` and `audit` labels are set to the most privileged pod security profile found in the namespace to prevent warnings and audit logging as pods are created.
-
-Namespace labeling is based on consideration of namespace-local service account privileges.
-
-Applying pods directly might use the SCC privileges of the user who runs the pod. However, user privileges are not considered during automatic labeling.
-
 [IMPORTANT]
 ====
-Namespaces that have an `openshift-` name prefix and were not created by the system during the installation are not synchronized by default.
-
-Namespaces that have the `openshift-` prefix are typically system namespaces; by convention, a controller should exist to manage them.
+Namespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. You can enable pod security admission synchronization on other namespaces as necessary.
+====
 
-You can enable SCC synchronization in namespaces that have the `openshift-` prefix by setting the value of the `security.openshift.io/scc.podSecurityLabelSync` label to `true`.
+The controller examines `ServiceAccount` object permissions to use security context constraints in each namespace. Security context constraints (SCCs) are mapped to pod security profiles based on their field values; the controller uses these translated profiles. Pod security admission `warn` and `audit` labels are set to the most privileged pod security profile found in the namespace to prevent warnings and audit logging as pods are created.
 
-Namespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. These namespaces include:
+Namespace labeling is based on consideration of namespace-local service account privileges.
 
-* All namespaces that are prefixed with `openshift-`, except for `openshift-operators`
-* `default`
-* `kube-node-lease`
-* `kube-system`
-* `kube-public`
-* `openshift`
-====
+Applying pods directly might use the SCC privileges of the user who runs the pod. However, user privileges are not considered during automatic labeling.