Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-21776

[HyperShift] Runtime zero namespaces are not excluded from pod security in guest cluster

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Critical
    • 4.15.0
    • 4.14, 4.15
    • HyperShift
    • None
    • No
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • In Progress

    Description

      Description of problem:  runtime zero namespaces ("default", "kube-system", "kube-public") are not excluded from pod security admission in hypershift guest cluster.
      In OCP, these runtime zero namespaces are excluded from PSA.

      How reproducible: Always 

      Steps to Reproduce:

      1. Install a fresh 4.14 hypershift cluster
2. Check the labels under default, kube-system, kube-public namespaces
3. Try to change the PSA value on these namespaces in hypershift guest cluster and the values are getting updated.

      Actual results:

      $ oc get ns default -oyaml --kubeconfig=guest.kubeconfig
...
  labels:
    kubernetes.io/metadata.name: default
  name: default
...
$ oc label ns default pod-security.kubernetes.io/enforce=restricted --overwrite --kubeconfig=guest.kubeconfig
namespace/default labeled
$ oc get ns default -oyaml --kubeconfig=guest.kubeconfig
...
  labels:
    kubernetes.io/metadata.name: default
    pod-security.kubernetes.io/enforce: restricted
  name: default

      Expected results:

      Runtime zero namespaces ("default", "kube-system", "kube-public") are excluded from pod security admission

      Additional info:

      kube-system ns is excluded from PSA in guest cluster but when try to update security.openshift.io/scc.podSecurityLabelSync value with true/false, it is not updated where as in management cluster podSecurityLabelSync value will get updated.

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-22379 [HyperShift] Runtime zero namespaces are not excluded from pod security in guest cluster

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-22379 [HyperShift] Runtime zero namespaces are not excluded from pod security in guest cluster

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. AUTH-411 Exclude runtime zero namespaces from pod security

          • Undefined - Priority not specified.
          • Closed
          links to

          GitHub openshift/hypershift#3115: OCPBUGS-21776: Cluster-policy-controller: add missing RBAC for privileged namespaces PSA syncer controller

          Web Link RHEA-2023:7198 rpm

          mentioned on

          GitLab Merge request - Bump IBM integration to our latest prod image.

          Activity

            People

              rh-ee-mraee Mulham Raee
              gkarager Giriyamma Karagere Ramaswamy (Inactive)
              Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: