Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-0.49] Integrate with Pod security #8529

Merged
merged 6 commits into from Oct 4, 2022
Merged

[release-0.49] Integrate with Pod security #8529

merged 6 commits into from Oct 4, 2022

Commits on Sep 26, 2022

  1. Enforce AllowPrivilegeEscalation 

    Be compliant with PSA restricted.
This can be achivied for virt-api,
virt-operator, virt-controller.

Signed-off-by: L. Pivarc <lpivarc@redhat.com>
(cherry picked from commit 6021d9e)
Signed-off-by: L. Pivarc <lpivarc@redhat.com>
    @xpivarc
    xpivarc committed Sep 26, 2022
    Configuration menu
    Copy the full SHA
    416fa6a View commit details
    Browse the repository at this point in the history

  2. Drop ALL capabilities 

    Be compliant with PSA restricted. This can
be applied to virt-api, virt-operator,
virt-controller.

Signed-off-by: L. Pivarc <lpivarc@redhat.com>
(cherry picked from commit 46c395a)
Signed-off-by: L. Pivarc <lpivarc@redhat.com>
    @xpivarc
    xpivarc committed Sep 26, 2022
    Configuration menu
    Copy the full SHA
    96625b6 View commit details
    Browse the repository at this point in the history

  3. Set SeccompProfile 

    Be compliant with PSA restricted. This can
be applied to virt-api, virt-operator,
virt-controller.

Signed-off-by: L. Pivarc <lpivarc@redhat.com>
(cherry picked from commit 63c6f8e)
Signed-off-by: L. Pivarc <lpivarc@redhat.com>
    @xpivarc
    xpivarc committed Sep 26, 2022
    Configuration menu
    Copy the full SHA
    dd7f468 View commit details
    Browse the repository at this point in the history

  4. Pod security label for Kubevirt 

    Kubevirt install namespace needs to
specify level to enforce as it contains
privileged workload.

Signed-off-by: L. Pivarc <lpivarc@redhat.com>
(cherry picked from commit 4690f39)
Signed-off-by: L. Pivarc <lpivarc@redhat.com>
    @xpivarc
    xpivarc committed Sep 26, 2022
    Configuration menu
    Copy the full SHA
    998225b View commit details
    Browse the repository at this point in the history

  5. Integrate with Pod security 

    VMs are unfortunatly still privileged workload(in Kubevirt).
We have to integrate with new Pod Security Standards in order to allow
seamless integration, upgrades.

This means we now make sure that target namespace allows
privileged workloads if PSA feature gate is enabled.
This unfortunatly means users escalate their privileges,
in terms of Pod security, by having ability to create VMs.

(cherry picked from commit 8512fe3)
Signed-off-by: L. Pivarc <lpivarc@redhat.com>

Signed-off-by: L. Pivarc <lpivarc@redhat.com>
    @xpivarc
    xpivarc committed Sep 26, 2022
    Configuration menu
    Copy the full SHA
    8fd9ac1 View commit details
    Browse the repository at this point in the history

Commits on Sep 27, 2022

  1. Pod secuirty on Openshift 

    Make sure we are not racing with cluster
sync mechanism on Openshift.

Signed-off-by: L. Pivarc <lpivarc@redhat.com>
(cherry picked from commit 230676f)
Signed-off-by: L. Pivarc <lpivarc@redhat.com>
    @xpivarc
    xpivarc committed Sep 27, 2022
    Configuration menu
    Copy the full SHA
    39abb59 View commit details
    Browse the repository at this point in the history