-
Bug
-
Resolution: Done
-
Normal
-
ACM 2.7.1
Description of problem:
In an OCP 4.10.10 cluster, when ACM 2.7.1 is deployed along with Submariner, the "subctl diagnose all" command emits the following warnings.
[sgaddam@localhost 9th-dbs]$ subctl diagnose kube-proxy-mode Cluster "hub-cluster" ⠈⠑ Checking Submariner support for the kube-proxy mode ⚠ Starting with Kubernetes 1.23, the Pod Security admission controller expects namespaces to have security labels. Without these, you will see warnings in subctl's output. subctl should work fine, but you can avoid the warnings and ensure correct behavior by adding at least one of these labels to the namespace "submarine r-operator": pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged
When I had a look at the labels of submariner-operator namespace, it does not include the pod-security labels.
[sgaddam@localhost 9th-dbs]$ kubectl get namespace submariner-operator -oyaml apiVersion: v1 kind: Namespace metadata: annotations: openshift.io/sa.scc.mcs: s0:c28,c2 openshift.io/sa.scc.supplemental-groups: 1000760000/10000 openshift.io/sa.scc.uid-range: 1000760000/10000 creationTimestamp: "2023-03-09T02:53:37Z" labels: kubernetes.io/metadata.name: submariner-operator olm.operatorgroup.uid/b0061b9c-c9cb-4d63-9224-72acfdd81784: "" name: submariner-operator ownerReferences: - apiVersion: work.open-cluster-management.io/v1 kind: AppliedManifestWork name: 1bf25813fc490b30da135c59843586658d344adeb4a3190ca477442c0a3fe31e-addon-submariner-deploy-0 uid: c6ddb12e-35aa-4528-81db-0069efcdb930 resourceVersion: "1589815" uid: 9f9b5f8c-80cf-4572-9e47-094d3659b1d6 spec: finalizers: - kubernetes status: phase: Active
Version-Release number of selected component (if applicable):
ACM 2.7.1
Submariner 0.14.1
subctl: 0.14.1 as well as devel
[sgaddam@localhost 9th-dbs]$ oc version
Client Version: 4.11.20
Kustomize Version: v4.5.4
Server Version: 4.10.10
Kubernetes Version: v1.23.5+9ce5071
Cloud platform: AWS
