-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
BU Product Work
-
False
-
None
-
False
-
OCPSTRAT-487 - Pod Security Admission Integration - Restricted Enforcement
-
-
-
Rejected
Description of problem:
OCP 4.12 is based on k8s 1.25, but the PSA version still is v1.24.
MacBook-Pro:~ jianzhang$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.12.19 True False 112m Cluster version is 4.12.19 MacBook-Pro:~ jianzhang$ oc new-project test-jian MacBook-Pro:~ jianzhang$ oc get ns test-jian -o yaml apiVersion: v1 kind: Namespace metadata: ... creationTimestamp: "2023-05-29T01:43:19Z" labels: kubernetes.io/metadata.name: test-jian pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: v1.24 pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: v1.24 name: test-jian resourceVersion: "41150" uid: efdc3439-ae6d-4f7a-a0c2-c1430240474d spec: finalizers: - kubernetes status: phase: Active MacBook-Pro:~ jianzhang$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.13.0-0.nightly-2023-05-27-155444 True False 16m Cluster version is 4.13.0-0.nightly-2023-05-27-155444 MacBook-Pro:~ jianzhang$ oc new-project test-jian MacBook-Pro:~ jianzhang$ oc get ns test-jian -o yaml apiVersion: v1 kind: Namespace metadata: annotations: openshift.io/description: "" openshift.io/display-name: "" openshift.io/requester: system:admin openshift.io/sa.scc.mcs: s0:c26,c10 openshift.io/sa.scc.supplemental-groups: 1000670000/10000 openshift.io/sa.scc.uid-range: 1000670000/10000 creationTimestamp: "2023-05-29T01:54:09Z" labels: kubernetes.io/metadata.name: test-jian pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: v1.24 pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: v1.24 name: test-jian resourceVersion: "36261" uid: 200e072e-c721-4e6e-a0a4-311ddf07a177 spec: finalizers: - kubernetes status: phase: Active MacBook-Pro:~ jianzhang$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.14.0-0.nightly-2023-05-28-015206 True False 111m Cluster version is 4.14.0-0.nightly-2023-05-28-015206 MacBook-Pro:~ jianzhang$ oc new-project test-jian MacBook-Pro:~ jianzhang$ oc get ns test-jian -o yaml apiVersion: v1 kind: Namespace metadata: annotations: openshift.io/description: "" openshift.io/display-name: "" openshift.io/requester: system:admin openshift.io/sa.scc.mcs: s0:c26,c25 openshift.io/sa.scc.supplemental-groups: 1000700000/10000 openshift.io/sa.scc.uid-range: 1000700000/10000 creationTimestamp: "2023-05-29T01:59:37Z" labels: kubernetes.io/metadata.name: test-jian pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: v1.24 name: test-jian resourceVersion: "47538" uid: e7ce1350-9410-48fa-8a63-d4bb912ee279 spec: finalizers: - kubernetes status: phase: Active
Version-Release number of selected component (if applicable):
4.12, 4.13, 4.14
How reproducible:
always
Steps to Reproduce:
1. Install OCP 2. Create a new project, such as `oc new-project test-jian` 3. Check the project's labels.
Actual results:
For OCP 4.12+, it is v1.24, not match k8s version.
Expected results:
It should match k8s version, for OCP 4.12, it shoule be v1.25.
Additional info:
- relates to
-
OCPBUGS-42526 The openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively
-
- New
-