Skip to content

security: restrict BareMetalHost creation to OpenStack namespaces#67

Merged
pinikomarov merged 1 commit into
mainfrom
security/bmo-watchallnamespaces
Jul 7, 2026
Merged

security: restrict BareMetalHost creation to OpenStack namespaces#67
pinikomarov merged 1 commit into
mainfrom
security/bmo-watchallnamespaces

Conversation

@cjeanner

@cjeanner cjeanner commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Add ValidatingAdmissionPolicy to enforce namespace-scoped access controls for BareMetalHost resources while maintaining watchAllNamespaces: true in the Bare Metal Operator configuration.

Changes:

  • Add ValidatingAdmissionPolicy restricting BareMetalHost CREATE operations to 'openstack' and 'openstack-operators' namespaces only
  • Add ValidatingAdmissionPolicyBinding to apply policy cluster-wide
  • Grant ArgoCD RBAC permissions for admissionregistration.k8s.io resources using explicit verbs (no wildcards) following least-privilege pattern
  • Configure ArgoCD sync-wave -35 to deploy policy before namespace creation
  • Create baremetalhost-validation component integrated with provisioning-config

This prevents unauthorized bare metal host enrollment from arbitrary namespaces while preserving operational flexibility required by RHOSO.

Add ValidatingAdmissionPolicy to enforce namespace-scoped access controls
for BareMetalHost resources while maintaining watchAllNamespaces: true in
the Bare Metal Operator configuration.

Changes:
- Add ValidatingAdmissionPolicy restricting BareMetalHost CREATE operations
  to 'openstack' and 'openstack-operators' namespaces only
- Add ValidatingAdmissionPolicyBinding to apply policy cluster-wide
- Grant ArgoCD RBAC permissions for admissionregistration.k8s.io resources
  using explicit verbs (no wildcards) following least-privilege pattern
- Configure ArgoCD sync-wave -35 to deploy policy before namespace creation
- Create baremetalhost-validation component integrated with provisioning-config

This prevents unauthorized bare metal host enrollment from arbitrary
namespaces while preserving operational flexibility required by RHOSO.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@cjeanner cjeanner requested review from pinikomarov and sathlan July 6, 2026 14:08
@cjeanner cjeanner self-assigned this Jul 6, 2026
@cjeanner

cjeanner commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator Author

I could get a green in our internal pipeline. The used patch was stacking both #66 and this one - everything could deploy accordingly, even baremetal hosts.

@pinikomarov pinikomarov left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, this rightfully addresses FIND-012

@pinikomarov pinikomarov merged commit 8adc783 into main Jul 7, 2026
1 check passed
@pinikomarov pinikomarov deleted the security/bmo-watchallnamespaces branch July 7, 2026 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants