Merge pull request #1358 from stlaz/buildcontroller_psa

Bug 2086519: exempt build controller SA from PodSecurity admission
openshift · Jun 3, 2022 · ee6d396 · ee6d396
2 parents 12b962e + aab0cba
commit ee6d396
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/bindata/assets/config/defaultconfig.yaml b/bindata/assets/config/defaultconfig.yaml
@@ -20,6 +20,15 @@ admission:
           audit-version: "latest"
           warn: "restricted"
           warn-version: "latest"
+        exemptions:
+          usernames:
+          # The build controller creates pods that are likely to be privileged
+          # based on BuildConfig objects. Access to these build pods is however
+          # still limited by the SCC exec admission and so we can safely add the
+          # build-controller SA here.
+          # This configuration should never be exposed to cluster users as no
+          # such guarantees are made for any other OpenShift SA/user.
+          - system:serviceaccount:openshift-infra:build-controller
 apiServerArguments:
   allow-privileged:
     - "true"