-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.14, 4.15
-
None
-
No
-
Rejected
-
False
-
This is a clone of issue OCPBUGS-21776. The following is the description of the original issue:
—
Description of problem: runtime zero namespaces ("default", "kube-system", "kube-public") are not excluded from pod security admission in hypershift guest cluster.
In OCP, these runtime zero namespaces are excluded from PSA.
How reproducible: Always
Steps to Reproduce:
1. Install a fresh 4.14 hypershift cluster 2. Check the labels under default, kube-system, kube-public namespaces 3. Try to change the PSA value on these namespaces in hypershift guest cluster and the values are getting updated.
Actual results:
$ oc get ns default -oyaml --kubeconfig=guest.kubeconfig ... labels: kubernetes.io/metadata.name: default name: default ... $ oc label ns default pod-security.kubernetes.io/enforce=restricted --overwrite --kubeconfig=guest.kubeconfig namespace/default labeled $ oc get ns default -oyaml --kubeconfig=guest.kubeconfig ... labels: kubernetes.io/metadata.name: default pod-security.kubernetes.io/enforce: restricted name: default
Expected results:
Runtime zero namespaces ("default", "kube-system", "kube-public") are excluded from pod security admission
Additional info:
kube-system ns is excluded from PSA in guest cluster but when try to update security.openshift.io/scc.podSecurityLabelSync value with true/false, it is not updated where as in management cluster podSecurityLabelSync value will get updated.
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
-
RHBA-2023:6837
OpenShift Container Platform 4.14.z bug fix update