You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: microshift_running_apps/microshift-authentication.adoc
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,10 @@
1
1
:_content-type: ASSEMBLY
2
2
[id="authentication-with-microshift"]
3
-
= Pod security authentication and authorization on {product-title}
3
+
= Pod security authentication and authorization
4
4
include::_attributes/attributes-microshift.adoc[]
5
5
:context: authentication-microshift
6
6
7
-
== Understanding and managing pod security admission
7
+
== Understanding and managing pod security admission
8
8
9
9
Pod security admission is an implementation of the link:https://kubernetes.io/docs/concepts/security/pod-security-standards/[Kubernetes pod security standards]. Use pod security admission to restrict the behavior of pods.
= Controlling pod security admission synchronization
8
8
9
-
You can enable or disable automatic pod security admission synchronization for most namespaces.
9
+
You can enable automatic pod security admission synchronization for most namespaces.
10
+
11
+
System defaults are not enforced when the `security.openshift.io/scc.podSecurityLabelSync` field is empty or set to `false`. You must set the label to `true` for synchronization to occur.
10
12
11
13
[IMPORTANT]
12
14
====
@@ -18,23 +20,14 @@ Namespaces that are defined as part of the cluster payload have pod security adm
18
20
* `kube-public`
19
21
* `openshift`
20
22
* All system-created namespaces that are prefixed with `openshift-`, except for `openshift-operators`
21
-
By default, all namespaces that have an `openshift-` prefix are not synchronized. You can enable synchronization for any user-created [x-]`openshift-*` namespaces. You cannot enable synchronization for any system-created [x-]`openshift-*` namespaces, except for `openshift-operators`.
23
+
By default, all namespaces that have an `openshift-` prefix are not synchronized. You can enable synchronization for any user-created [x-]`openshift-*` namespaces. You cannot enable synchronization for any system-created [x-]`openshift-*` namespaces, except for `openshift-operators`.
22
24
23
25
If an Operator is installed in a user-created `openshift-*` namespace, synchronization is turned on by default after a cluster service version (CSV) is created in the namespace. The synchronized label inherits the permissions of the service accounts in the namespace.
24
26
====
25
27
26
28
.Procedure
27
29
28
-
* For each namespace that you want to configure, set a value for the `security.openshift.io/scc.podSecurityLabelSync` label:
29
-
** To disable pod security admission label synchronization in a namespace, set the value of the `security.openshift.io/scc.podSecurityLabelSync` label to `false`.
** To enable pod security admission label synchronization in a namespace, set the value of the `security.openshift.io/scc.podSecurityLabelSync` label to `true`.
30
+
* To enable pod security admission label synchronization in a namespace, set the value of the `security.openshift.io/scc.podSecurityLabelSync` label to `true`.
Copy file name to clipboardExpand all lines: modules/microshift-security-context-constraints.adoc
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,13 +7,13 @@
7
7
8
8
= Security context constraint synchronization with pod security standards
9
9
10
-
{product-title} includes link:https://kubernetes.io/docs/concepts/security/pod-security-admission[Kubernetes pod security admission]. Globally, the `restricted` profile is enforced by default for {product-title}.
10
+
{microshift-short} includes link:https://kubernetes.io/docs/concepts/security/pod-security-admission[Kubernetes pod security admission].
11
11
12
12
In addition to the global pod security admission control configuration, a controller exists that applies pod security admission control `warn` and `audit` labels to namespaces according to the security context constraint (SCC) permissions of the service accounts that are in a given namespace.
13
13
14
14
[IMPORTANT]
15
15
====
16
-
Namespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. You can enable pod security admission synchronization on other namespaces as necessary. If an Operator is installed in a user-created `openshift-*` namespace, synchronization is turned on by default after a cluster service version (CSV) is created in the namespace.
16
+
Namespaces that are defined as part of the cluster payload have pod security admission synchronization disabled permanently. You can enable pod security admission synchronization on other namespaces as necessary. If an Operator is installed in a user-created `openshift-*` namespace, synchronization is turned on by default after a cluster service version (CSV) is created in the namespace.
17
17
====
18
18
19
19
The controller examines `ServiceAccount` object permissions to use security context constraints in each namespace. Security context constraints (SCCs) are mapped to pod security profiles based on their field values; the controller uses these translated profiles. Pod security admission `warn` and `audit` labels are set to the most privileged pod security profile found in the namespace to prevent warnings and audit logging as pods are created.
0 commit comments