Open adambkaplan opened 1 year ago
Syncing labels for PodSecurity is certainly feasible but clearly needs deeper thoughts. @s-urbaniak has lots of background.
SCCs I think are out of scope for syncing. SCCs are cluster-wide and they can influence overall physical cluster behaviour. Hence, they must be pre-installed in the physical cluster outside of syncing, e.g. by some OpenShift-aware syncer operator / installer, or other kind of fleet management.
Action item: let's schedule a dedicated meeting to discuss this with @s-urbaniak @adambkaplan @sttts
cc @cathaloconnorrh
As discussed in Slack, the current state of the discussion is:
One can opt out of autolabelling (see https://docs.openshift.com/container-platform/4.11/authentication/understanding-and-managing-pod-security-admission.html#security-context-constraints-psa-opting_understanding-and-managing-pod-security-admission).
use
permissions for privileged SCCs. This RBAC lives in the downstream (OpenShift) cluster./transfer-issue contrib-tmc
Feature Description
Many users of Tekton/Pipeline Service run containers that require some level of extra pod security permissions. For instance, running buildah in a container requires (at minimum) the
SET_FCAP
capability, which is only allowed by thebaseline
Pod Security Standard.To run these workloads, the following abilities are needed:
Proposed Solution
Alternative Solutions
The current solution employed by the Pipeline Service is unique to its deployment topology:
pipelines
), which have the RBAC necessary for most Tekton Tasks.pipelines
service account. RBAC is created to use this special SCC.Want to contribute?
Additional Context
No response