Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20249

Hosted clusters default KAS PSA config should be consistent with OCP

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 4.14.0
    • 4.14.0
    • HyperShift
    • None
    • Critical
    • No
    • Hypershift Sprint 243
    • 1
    • Approved
    • False
    • Hide

      None

      Show
      None
    • Hide
      Before this update, the Pod Security Admission (PSA) for the `HostedCluster` Kubernetes API server set the default value for the `enforce` setting to `restricted`. As a result, the `HostedCluster` PSA was out of parity with the PSA for the OpenShift Container Platform Kubernetes API server. With this update, the PSA for the `HostedCluster` Kubernetes API server uses `privileged` as the default value for the `enforce` setting, which resolves the issue and brings the PSA of the `HostedCluster` Kubernetes API server to be in parity with the PSA of the OpenShift Container Platform Kubernetes API server. (link:https://issues.redhat.com/browse/OCPBUGS-20249[*OCPBUGS-20249]*)
      Show
      Before this update, the Pod Security Admission (PSA) for the `HostedCluster` Kubernetes API server set the default value for the `enforce` setting to `restricted`. As a result, the `HostedCluster` PSA was out of parity with the PSA for the OpenShift Container Platform Kubernetes API server. With this update, the PSA for the `HostedCluster` Kubernetes API server uses `privileged` as the default value for the `enforce` setting, which resolves the issue and brings the PSA of the `HostedCluster` Kubernetes API server to be in parity with the PSA of the OpenShift Container Platform Kubernetes API server. (link: https://issues.redhat.com/browse/OCPBUGS-20249 [* OCPBUGS-20249 ]*)
    • Bug Fix
    • Done

      Description of problem:

      [Hypershift] default KAS PSA config should be consistent with OCP 
       enforce: privileged 

      Version-Release number of selected component (if applicable):

      Cluster version is 4.14.0-0.nightly-2023-10-08-220853

      How reproducible:

      Always

      Steps to Reproduce:

      1. Install OCP cluster and hypershift operator
      2. Create hosted cluster
      3. Check the default kas config of the hosted cluster
      

      Actual results:

      The hosted cluster default kas PSA config enforce is 'restricted'
      $ jq '.admission.pluginConfig.PodSecurity' < `oc extract cm/kas-config -n clusters-9cb7724d8bdd0c16a113 --confirm`
      {
        "location": "",
        "configuration": {
          "kind": "PodSecurityConfiguration",
          "apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
          "defaults": {
            "enforce": "restricted",
            "enforce-version": "latest",
            "audit": "restricted",
            "audit-version": "latest",
            "warn": "restricted",
            "warn-version": "latest"
          },
          "exemptions": {
            "usernames": [
              "system:serviceaccount:openshift-infra:build-controller"
            ]
          }
        }
      }

      Expected results:

      The hosted cluster default kas PSA config enforce should be 'privileged' in
      
      https://github.com/openshift/hypershift/blob/release-4.13/control-plane-operator/controllers/hostedcontrolplane/kas/config.go#L93

      Additional info:

      References: OCPBUGS-8710

              rh-ee-brcox Bryan Cox
              gkarager Giriyamma Karagere Ramaswamy (Inactive)
              Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
              Laura Hinson Laura Hinson
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: