Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-10831

It is better for pod-security admission config to use v1 like upstream instead of still using v1beta1

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • 4.14.0
    • 4.13.0, 4.12.z
    • apiserver-auth
    • Moderate
    • No
    • Auth - Sprint 235
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:
      It is better for pod-security admission config to use v1 like upstream instead of still using v1beta1

      Version-Release number of selected component (if applicable):
      4.12, 4.13

      How reproducible:
      Always

      Steps to Reproduce:
      1. In upstream, when it was 1.24, https://v1-24.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller shows "pod-security.admission.config.k8s.io/v1beta1".

      When it was 1.25 (OCP 4.12), https://v1-25.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller does not show "shows pod-security.admission.config.k8s.io/v1beta1" any longer. In the bottom, it notes: pod-security.admission.config.k8s.io/v1 configuration requires v1.25+. For v1.23 and v1.24, use v1beta1.

      In OCP 4.12 (1.25) and 4.13 (1.26), it is still v1beta1, we'd better to align with upstream:

      4.12:
$ oc version
..
Server Version: 4.12.9
Kubernetes Version: v1.25.7+eab9cc9

$ jq "" $(oc extract cm/config -n openshift-kube-apiserver --confirm) | jq '.admission.pluginConfig.PodSecurity'
{
  "configuration": {
    "apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
    "defaults": {
      "audit": "restricted",
      "audit-version": "latest",
      "enforce": "privileged",
      "enforce-version": "latest",
      "warn": "restricted",
      "warn-version": "latest"
    },
    "exemptions": {
      "usernames": [
        "system:serviceaccount:openshift-infra:build-controller"
      ]
    },
    "kind": "PodSecurityConfiguration"
  }
}

4.13:
$ oc version
...
Server Version: 4.13.0-0.nightly-2023-03-23-204038
Kubernetes Version: v1.26.2+dc93b13

$ jq "" $(oc extract cm/config -n openshift-kube-apiserver --confirm) | jq '.admission.pluginConfig.PodSecurity'
{
  "configuration": {
    "apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
    "defaults": {
      "audit": "restricted",
      "audit-version": "latest",
      "enforce": "privileged",
      "enforce-version": "latest",
      "warn": "restricted",
      "warn-version": "latest"
    },
    "exemptions": {
      "usernames": [
        "system:serviceaccount:openshift-infra:build-controller"
      ]
    },
    "kind": "PodSecurityConfiguration"
  }
}

      Actual results:

      See above.

      Expected results:

      It is better for pod-security admission config to align with upstream to use v1 than v1beta1.

      Additional info:

       

              slaznick@redhat.com Stanislav Láznička (Inactive)
              xxia-1 Xingxing Xia
              Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: