Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: 4.14.0
Affects Version/s: 4.13.0, 4.12.z
Component/s: apiserver-auth
Labels:
- no-doc

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Moderate
Regression:
No

Target Backport Versions:
None
Target Version:

4.14.0
Release Blocker:
None
Sprint:
Auth - Sprint 235
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:
It is better for pod-security admission config to use v1 like upstream instead of still using v1beta1

Version-Release number of selected component (if applicable):
4.12, 4.13

How reproducible:
Always

Steps to Reproduce:
1. In upstream, when it was 1.24, https://v1-24.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller shows "pod-security.admission.config.k8s.io/v1beta1".

When it was 1.25 (OCP 4.12), https://v1-25.docs.kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/#configure-the-admission-controller does not show "shows pod-security.admission.config.k8s.io/v1beta1" any longer. In the bottom, it notes: pod-security.admission.config.k8s.io/v1 configuration requires v1.25+. For v1.23 and v1.24, use v1beta1.

In OCP 4.12 (1.25) and 4.13 (1.26), it is still v1beta1, we'd better to align with upstream:

4.12:
$ oc version
..
Server Version: 4.12.9
Kubernetes Version: v1.25.7+eab9cc9

$ jq "" $(oc extract cm/config -n openshift-kube-apiserver --confirm) | jq '.admission.pluginConfig.PodSecurity'
{
  "configuration": {
    "apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
    "defaults": {
      "audit": "restricted",
      "audit-version": "latest",
      "enforce": "privileged",
      "enforce-version": "latest",
      "warn": "restricted",
      "warn-version": "latest"
    },
    "exemptions": {
      "usernames": [
        "system:serviceaccount:openshift-infra:build-controller"
      ]
    },
    "kind": "PodSecurityConfiguration"
  }
}

4.13:
$ oc version
...
Server Version: 4.13.0-0.nightly-2023-03-23-204038
Kubernetes Version: v1.26.2+dc93b13

$ jq "" $(oc extract cm/config -n openshift-kube-apiserver --confirm) | jq '.admission.pluginConfig.PodSecurity'
{
  "configuration": {
    "apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
    "defaults": {
      "audit": "restricted",
      "audit-version": "latest",
      "enforce": "privileged",
      "enforce-version": "latest",
      "warn": "restricted",
      "warn-version": "latest"
    },
    "exemptions": {
      "usernames": [
        "system:serviceaccount:openshift-infra:build-controller"
      ]
    },
    "kind": "PodSecurityConfiguration"
  }
}

Actual results:

See above.

Expected results:

It is better for pod-security admission config to align with upstream to use v1 than v1beta1.

Additional info:

links to

openshift/cluster-kube-apiserver-operator#1481: OCPBUGS-10831: pod security: use v1 api

RHEA-2023:5006 rpm

Assignee:: Stanislav Láznička (Inactive)

Reporter:: Xingxing Xia

Need Info From:: None

Contributors:: None

QA Contact:: Giriyamma Karagere Ramaswamy (Inactive)

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2023/03/24 9:48 AM

Updated:: 2025/07/27 11:39 AM

Resolved:: 2023/10/31 12:55 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates