Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-20526

[HCP] PSA labels on namespaces in HyperShift guest cluster enforce "restricted" while OCP of same version is good without such issue

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • 4.14.0
    • 4.14
    • HyperShift
    • No
    • Hypershift Sprint 243, Hypershift Sprint 244
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      [Hypershift] KAS labels on projects created should be consistent with OCP 
       enforce: privileged 

      Version: 4.14.0-0.nightly-2023-10-10-084534

      How reproducible: Always

      Steps to Reproduce:

      1. Install OCP cluster and hypershift operator
      2. Create hosted cluster
      3. Create a test project on hosted cluster

      Actual results:

      The hosted cluster KAS labels on the test project is 'enforce: restricted'
      $ oc new-project test1 --kubeconfig=guest.kubeconfig 
      $ oc get ns test1 -oyaml --kubeconfig=guest.kubeconfig 
      ...
        labels:
          kubernetes.io/metadata.name: test1
          pod-security.kubernetes.io/audit: restricted
          pod-security.kubernetes.io/audit-version: v1.24
          pod-security.kubernetes.io/enforce: restricted
          pod-security.kubernetes.io/enforce-version: v1.24
          pod-security.kubernetes.io/warn: restricted
          pod-security.kubernetes.io/warn-version: v1.24
        name: test1
      ...
       
      

      Expected results:

      The hosted cluster KAS labels on projects should be "enforce: privileged" as Managent cluster KAS labels on projects created is "enforce: privileged"

      Management cluster:

      $ oc new-project test
      $ oc get ns test -oyaml
      ...
        labels:
          kubernetes.io/metadata.name: test
          pod-security.kubernetes.io/audit: restricted
          pod-security.kubernetes.io/audit-version: v1.24
          pod-security.kubernetes.io/warn: restricted
          pod-security.kubernetes.io/warn-version: v1.24
        name: test
      ...

      Attachments

        Issue Links

          Activity

            People

              rh-ee-mraee Mulham Raee
              gkarager Giriyamma Karagere Ramaswamy (Inactive)
              Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: