-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix creation of OVA server pod under enforced restricted namespaces #660
Conversation
953246c
to
1ba4fec
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did you check other pods we create(virt-v2v, populators)? In my opinion they work in the default namespace. I don't remember we ever checked the restriction level. Can the OVA provider work with the additional restriction here without checking the namespace?
1ba4fec
to
c79763e
Compare
After testing it with virt-v2v pod its working without the extra configuration, but it seams that the difference relays on the fact the ova server runs as a deployment while the virt-v2v created directly as a pod. for the deployment in the highest security level there is extra enforcement for the user that can run the pod while for the others its not required and determine automatically. |
Signed-off-by: Bella Khizgiyaev <[email protected]>
c79763e
to
f5a1e9d
Compare
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
so, can we do it as restricted all the time on any namespace? |
No, for the |
When a new namespace is created in OpenShift, it is automatically labeled with
pod-security.kubernetes.io/audit
, which refers to a secondary, restricted security level. The situation diffrent in Kubernetes and for the default namespace, where such automatic labeling does not occur. When a namespace is marked as restricted, an additional label,pod-security.kubernetes.io/enforce
, is added. This label represents the highest security level, where violations are not permitted. When deploying an OVA server pod, it is created with standard settings across all namespaces, except those marked only with the enforce option. In these cases, extra configuration is required to eliminate any potential security violations.