-
Bug
-
Resolution: Done
-
Normal
-
Submariner 0.14.1, ACM 2.7.0
Description of problem:
ACM 2.7.0 / Submariner 0.14.1
ARO cluster (ocp 4.10) is missing security label for the submariner-operator namespace.
⚠ Starting with Kubernetes 1.23, the Pod Security admission controller expects namespaces to have security labels. Without these, you will see warnings in subctl's output. subctl should work fine, but you can avoid the warnings and ensure correct behavior by adding at least one of these labels to the namespace "submariner-operator":
pod-security.kubernetes.io/audit=privileged
pod-security.kubernetes.io/warn=privileged
pod-security.kubernetes.io/enforce=privileged
oc get ns submariner-operator -o yaml apiVersion: v1 kind: Namespace metadata: annotations: openshift.io/sa.scc.mcs: s0:c27,c4 openshift.io/sa.scc.supplemental-groups: 1000710000/10000 openshift.io/sa.scc.uid-range: 1000710000/10000 creationTimestamp: "2023-02-01T08:40:24Z" labels: kubernetes.io/metadata.name: submariner-operator olm.operatorgroup.uid/b6942f18-e4f8-41cd-a17e-cbf1a043bec3: "" name: submariner-operator ownerReferences: - apiVersion: work.open-cluster-management.io/v1 kind: AppliedManifestWork name: 5fd0bf4ade2c79071b989f39af47f34a893de281b892c5a7aef575c94fef288e-addon-submariner-deploy-0 uid: 4cbca467-97af-405d-bc18-7f94bb121717 resourceVersion: "66359" uid: 209a83e9-af10-421a-997c-2d3184e3bc53 spec: finalizers: - kubernetes status: phase: Active