rewrite the opt-in section for non-labelled NSes

openshift · Feb 23, 2022 · c191e48 · c191e48
1 parent 19f98ae
commit c191e48
Showing 1 changed file with 20 additions and 23 deletions.
diff --git a/enhancements/authentication/pod-security-admission-autolabeling.md b/enhancements/authentication/pod-security-admission-autolabeling.md
@@ -122,29 +122,26 @@ The Controller described in [PSa Label Synchronization Controller](#psa-label-sy
 works on an opt-in basis, meaning that users need to specifically sign themselves up
 if they wanted to stick with just SCCs.
 
-The opt-in is driven by the `security.openshift.io/scc.podSecurityLabelSync: “true”`
-label, namespaces containing it will have their PSa labels reconciled by
-the Controller.
-
-The opt-in nature of the Controller would cause current workloads to break.
-The choice of opting-in is therefore only left upon the users that are
-capable of creating the `Namespace` objects directly. Such a user can clearly
-set the appropriate labels themselves.
-
-The rest of the users rely on `Namespace` creation delegated via the OpenShift
-`Project` API. The default `Project` template should therefore be modified so
-that it by default includes the `security.openshift.io/scc.podSecurityLabelSync: “true”`
-label. This ensures that the decision to use PSa as the main authorization
-mechanism is left to privileged users only and the workloads of the rest
-of the users keeps working.
-
-Simply updating the `Project` template is not enough to keep older workloads
-working during upgrades. For that purpose, a controller should exist in an
-4.(n-1) version that annotates all namespaces created via the `Project` API.
-The controller assumes such a namespace creation by the "openshift.io/requester"
-annotation on the namespace, this annotation is added by the default `Project`
-template. The 4.n version is the version when the PSa gets turned on by default
-in restricted level, 4.(n-1) is the version that precedes it.
+Namespaces that specifically want to have their PSa labels synchronized
+should be labelled by the `security.openshift.io/scc.podSecurityLabelSync`
+label with the label value set to `“true”`, on the other hand, to specifically
+request no PSa label synchronization, the namespace should set the label's
+value to "false".
+
+By default, namespaces without the synchronization label will be still
+considered for label synchronization. These namespaces are considered
+"no-opinion" and the label synchronization behavior for these may change
+in any future release.
+
+Having the "no-opinion" path helps keeping the older workloads working
+during upgrades. It also gives us space to decide whether we want the
+label synchronization be done by default or whether the users should
+specifically opt into it in the future.
+
+As a consequence of the opt-in/opt-out being dependent on `Namespace`
+labelling, only the privileged users can determine what kind of
+admission mechanism may run on namespaces, non-privileged users
+depend on the platform defaults.
 
 #### SCC to PSa Level Transformation