Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10831

It is better for pod-security admission config to use v1 like upstream instead of still using v1beta1

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Undefined
    • 4.14.0
    • 4.13.0, 4.12.z
    • apiserver-auth
    • Moderate
    • Auth - Sprint 235
    • 1
    • No
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:
      It is better for pod-security admission config to use v1 like upstream instead of still using v1beta1

      Version-Release number of selected component (if applicable):
      4.12, 4.13

      How reproducible:
      Always

      Steps to Reproduce:
      1. In upstream, when it was 1.24, https://v1-24.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller shows "pod-security.admission.config.k8s.io/v1beta1".

      When it was 1.25 (OCP 4.12), https://v1-25.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller does not show "shows pod-security.admission.config.k8s.io/v1beta1" any longer. In the bottom, it notes: pod-security.admission.config.k8s.io/v1 configuration requires v1.25+. For v1.23 and v1.24, use v1beta1.

      In OCP 4.12 (1.25) and 4.13 (1.26), it is still v1beta1, we'd better to align with upstream:

      4.12:
      $ oc version
      ..
      Server Version: 4.12.9
      Kubernetes Version: v1.25.7+eab9cc9
      
      $ jq "" $(oc extract cm/config -n openshift-kube-apiserver --confirm) | jq '.admission.pluginConfig.PodSecurity'
      {
        "configuration": {
          "apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
          "defaults": {
            "audit": "restricted",
            "audit-version": "latest",
            "enforce": "privileged",
            "enforce-version": "latest",
            "warn": "restricted",
            "warn-version": "latest"
          },
          "exemptions": {
            "usernames": [
              "system:serviceaccount:openshift-infra:build-controller"
            ]
          },
          "kind": "PodSecurityConfiguration"
        }
      }
      
      4.13:
      $ oc version
      ...
      Server Version: 4.13.0-0.nightly-2023-03-23-204038
      Kubernetes Version: v1.26.2+dc93b13
      
      $ jq "" $(oc extract cm/config -n openshift-kube-apiserver --confirm) | jq '.admission.pluginConfig.PodSecurity'
      {
        "configuration": {
          "apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
          "defaults": {
            "audit": "restricted",
            "audit-version": "latest",
            "enforce": "privileged",
            "enforce-version": "latest",
            "warn": "restricted",
            "warn-version": "latest"
          },
          "exemptions": {
            "usernames": [
              "system:serviceaccount:openshift-infra:build-controller"
            ]
          },
          "kind": "PodSecurityConfiguration"
        }
      }
      

      Actual results:

      See above.

      Expected results:

      It is better for pod-security admission config to align with upstream to use v1 than v1beta1.

      Additional info:

       

      Attachments

        Activity

          People

            slaznick@redhat.com Stanislav Laznicka
            xxia-1 Xingxing Xia
            Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: