Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-2256

[Submariner] - Vsphere cluster shows Pod Security admission controller warnings

    XMLWordPrintable

Details

    Description

      Description of problem:

      ACM 2.7 / Submariner 0.14.0

      When running subctl diagnose firewall inter-cluster check on vsphere cluster, Pod Security admission controller warnings appears.

      When the above command executed between vsphere and aws cluster, only if the vsphere cluster is first, the following warning appears:

      ⚠ Starting with Kubernetes 1.23, the Pod Security admission controller expects namespaces to have security labels. Without these, you will see warnings in subctl's output. subctl should work fine, but you can avoid the warnings and ensure correct behavior by adding at least one of these labels to the namespace "default":
  pod-security.kubernetes.io/enforce=privileged
  pod-security.kubernetes.io/audit=privileged
  pod-security.kubernetes.io/warn=privileged

      The submariner-operator namespace has the required labels:

      apiVersion: v1
kind: Namespace
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{},"labels":{"pod-security.kubernetes.io/audit":"privileged","pod-security.kubernetes.io/enforce":"privileged","pod-security.kubernetes.io/warn":"privileged"},"name":"submariner-operator"}}
    openshift.io/sa.scc.mcs: s0:c26,c25
    openshift.io/sa.scc.supplemental-groups: 1000700000/10000
    openshift.io/sa.scc.uid-range: 1000700000/10000
  creationTimestamp: "2022-12-01T16:58:29Z"
  labels:
    kubernetes.io/metadata.name: submariner-operator
    olm.operatorgroup.uid/49d2ca8b-dcdf-4e1c-9a8f-5c09a49dd37a: ""
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
    pod-security.kubernetes.io/warn-version: v1.24
  name: submariner-operator
  ownerReferences:
  - apiVersion: work.open-cluster-management.io/v1
    kind: AppliedManifestWork
    name: 5fd0bf4ade2c79071b989f39af47f34a893de281b892c5a7aef575c94fef288e-addon-submariner-deploy-0
    uid: 4339f6c5-8b50-42f4-a76d-0de5f7872e1c
  resourceVersion: "223589"
  uid: 7d8221bb-8167-457f-a1d7-500a517a7c1c
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

      In additional, as could be seen from the error, it specifies default namespace, which is not used in submariner deployment and indeed does not have the labels.
      If executing the same check and putting aws cluster first, the warning is not shown.

      Attachments

        Activity

          People

            sgaddam@redhat.com Gaddam Sridhar
            mbabushk@redhat.com Maxim Babushkin
            Maxim Babushkin Maxim Babushkin
            ACM QE Team
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: