[release-0.49] Integrate with Pod security #8529
Conversation
Be compliant with PSA restricted. This can be achivied for virt-api, virt-operator, virt-controller. Signed-off-by: L. Pivarc <lpivarc@redhat.com> (cherry picked from commit 6021d9e) Signed-off-by: L. Pivarc <lpivarc@redhat.com>
Be compliant with PSA restricted. This can be applied to virt-api, virt-operator, virt-controller. Signed-off-by: L. Pivarc <lpivarc@redhat.com> (cherry picked from commit 46c395a) Signed-off-by: L. Pivarc <lpivarc@redhat.com>
Be compliant with PSA restricted. This can be applied to virt-api, virt-operator, virt-controller. Signed-off-by: L. Pivarc <lpivarc@redhat.com> (cherry picked from commit 63c6f8e) Signed-off-by: L. Pivarc <lpivarc@redhat.com>
Kubevirt install namespace needs to specify level to enforce as it contains privileged workload. Signed-off-by: L. Pivarc <lpivarc@redhat.com> (cherry picked from commit 4690f39) Signed-off-by: L. Pivarc <lpivarc@redhat.com>
VMs are unfortunatly still privileged workload(in Kubevirt). We have to integrate with new Pod Security Standards in order to allow seamless integration, upgrades. This means we now make sure that target namespace allows privileged workloads if PSA feature gate is enabled. This unfortunatly means users escalate their privileges, in terms of Pod security, by having ability to create VMs. (cherry picked from commit 8512fe3) Signed-off-by: L. Pivarc <lpivarc@redhat.com> Signed-off-by: L. Pivarc <lpivarc@redhat.com>
Make sure we are not racing with cluster sync mechanism on Openshift. Signed-off-by: L. Pivarc <lpivarc@redhat.com> (cherry picked from commit 230676f) Signed-off-by: L. Pivarc <lpivarc@redhat.com>
kubevirt-bot
added
release-note
|
/lgtm |
|
@xpivarc this is failing to build, you're missing a dependency. |
|
/retest |
I am failing to reproduce the issue. Let's see what happens. |
It repros on my machine. Looks like #7526 v1.15.11 got released 4 days ago and contains the go 1.16 deprecation commit. |
|
/retest |
xpivarc
changed the title
|
@vladikr PTAL |
|
/approve |
|
/retest |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vladikr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
This is backport of #8436 (smaller version)
What this PR does / why we need it:
Pod Security Standards shows Kubevirt still can't run as a restricted workload. Clusters enforcing restricted policy are not able to run VMs without manual adjustments of namespaces. There is also an issue with our upgrade path to the cluster that starts to enforce the policy.
This PR enables opt-in to an automatic escalation of namespaces where VMs run. This should be used only with additional security in place or after auditing of RBAC for Kubevirt access(ability to create VM/VMI or higher abstractions).
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: