podsecurity: enforce privileged for openshift-etcd namespace

[s-urbaniak]

Starting with OpenShift 4.10 we are introducing PodSecurity admission (https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2579-psp-replacement).

Currently, all pods are marked as privileged, however, over time we want to enforce at least baseline, admirably restricted as default. In order not to break control plane workloads this allows workloads in openshift-etcd namespace to run privileged pods.

See openshift/enhancements#899 for more details (and excuse the eventual consistency of updates).

/cc @stlaz

[s-urbaniak]

/cc @deads2k

[lilic]

/lgtm
/hold

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lilic, s-urbaniak

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [lilic]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lilic]

@hasbro17 @hexfusion This lgtm, but please take a look as well.

[hasbro17]

SGTM
@lilic @hexfusion Should we require the same policy for the openshift-etcd-operator namespace/pods as well?
https://github.com/openshift/cluster-etcd-operator/blob/master/manifests/0000_12_etcd-operator_00_namespace.yaml

[lilic]

No, I asked the same question and @s-urbaniak said the following:

the operator namespace does (fortunately) not run any privileged pods, so no need to annotate.

[hexfusion]

/hold cancel