Details
-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
Description
What
Don't enforce system defaults on a namespace's pod security labels, if it is managed by a user.
Why
If the managedFields (https://kubernetes.io/docs/reference/using-api/server-side-apply/#field-management) indicate that a user changed the pod security labels, we should not enforce system defaults.
A user might not be aware that the label syncer can be turned off and tries to manually change the state of the pod security profiles.
This fight between a user and the label syncer can cause violations.