In the documentation for Pod Security Admission there is a section "Controlling pod security admission synchronization" where a procedure is given to apply synchronization label "security.openshift.io/scc.podSecurityLabelSync=false".

The procedure fails to cover "--overwrite" parameter in case one wants to change the existing label.

------------------------------------------------------------------
For example:

- If the label is set to false as follows:

  $ oc label namespace <namespace_name> security.openshift.io/scc.podSecurityLabelSync=false


- And if it is needed to set as true with following command, throws an error:

$ oc label namespace <namespace_name> security.openshift.io/scc.podSecurityLabelSync=false 

Error:  error: 'security.openshift.io/scc.podSecurityLabelSync' already has a value (false), and --overwrite is false 


- The command only works if we add parameter --overwrite, this can be added as a Note in the procedure section.

Note: To update the existing applied label on namespace kindly use --overwrite parameter as follows:

$ oc label ns <ns_name> label=value --overwrite

--------------------------------------------------------------------



- Section link: https://docs.openshift.com/container-platform/4.14/authentication/understanding-and-managing-pod-security-admission.html#security-context-constraints-psa-opting_understanding-and-managing-pod-security-admission

- Documentation link:  https://docs.openshift.com/container-platform/4.15/authentication/understanding-and-managing-pod-security-admission.html

    4.15.z

    NA

    1.
    2.
    3.