Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20249

Hosted clusters default KAS PSA config should be consistent with OCP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 4.14.0
    • 4.14.0
    • HyperShift
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • No
    • None
    • Approved
    • Hypershift Sprint 243
    • 1
    • Done
    • Bug Fix
    • Hide
      Before this update, the Pod Security Admission (PSA) for the `HostedCluster` Kubernetes API server set the default value for the `enforce` setting to `restricted`. As a result, the `HostedCluster` PSA was out of parity with the PSA for the OpenShift Container Platform Kubernetes API server. With this update, the PSA for the `HostedCluster` Kubernetes API server uses `privileged` as the default value for the `enforce` setting, which resolves the issue and brings the PSA of the `HostedCluster` Kubernetes API server to be in parity with the PSA of the OpenShift Container Platform Kubernetes API server. (link:https://issues.redhat.com/browse/OCPBUGS-20249[*OCPBUGS-20249]*)
      Show
      Before this update, the Pod Security Admission (PSA) for the `HostedCluster` Kubernetes API server set the default value for the `enforce` setting to `restricted`. As a result, the `HostedCluster` PSA was out of parity with the PSA for the OpenShift Container Platform Kubernetes API server. With this update, the PSA for the `HostedCluster` Kubernetes API server uses `privileged` as the default value for the `enforce` setting, which resolves the issue and brings the PSA of the `HostedCluster` Kubernetes API server to be in parity with the PSA of the OpenShift Container Platform Kubernetes API server. (link: https://issues.redhat.com/browse/OCPBUGS-20249 [* OCPBUGS-20249 ]*)
    • None
    • None
    • None
    • None

      Description of problem:

      [Hypershift] default KAS PSA config should be consistent with OCP 
 enforce: privileged

      Version-Release number of selected component (if applicable):

      Cluster version is 4.14.0-0.nightly-2023-10-08-220853

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install OCP cluster and hypershift operator
2. Create hosted cluster
3. Check the default kas config of the hosted cluster

      Actual results:

      The hosted cluster default kas PSA config enforce is 'restricted'
$ jq '.admission.pluginConfig.PodSecurity' < `oc extract cm/kas-config -n clusters-9cb7724d8bdd0c16a113 --confirm`
{
  "location": "",
  "configuration": {
    "kind": "PodSecurityConfiguration",
    "apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
    "defaults": {
      "enforce": "restricted",
      "enforce-version": "latest",
      "audit": "restricted",
      "audit-version": "latest",
      "warn": "restricted",
      "warn-version": "latest"
    },
    "exemptions": {
      "usernames": [
        "system:serviceaccount:openshift-infra:build-controller"
      ]
    }
  }
}

      Expected results:

      The hosted cluster default kas PSA config enforce should be 'privileged' in

https://github.com/openshift/hypershift/blob/release-4.13/control-plane-operator/controllers/hostedcontrolplane/kas/config.go#L93

      Additional info:

      References: OCPBUGS-8710

              rh-ee-brcox Bryan Cox
              gkarager Giriyamma Karagere Ramaswamy (Inactive)
              None
              None
              Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
              Laura Hinson Laura Hinson
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: