Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-42526

The openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 4.17.z, 4.16.z, 4.18
    • OLM
    • Moderate
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Starting OCPBUGS-41849 , "pod-security.kubernetes.io/*-version" is set to "latest". But the openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively. Therefore creating this Jira tracker.

       

      Version-Release number of selected component (if applicable):

      4.16.0-0.nightly-2024-09-26-011209
4.17.0-rc.6
4.18.0-0.nightly-2024-09-26-222528

      How reproducible:

      Always

      Steps to Reproduce:

      Check `oc get ns -o yaml` in 4.16 / 4.17 / 4.18 envs.

      Actual results:

      All envs show the openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively:
- apiVersion: v1
  kind: Namespace
  metadata:
    ...
    labels:
      ...
      pod-security.kubernetes.io/audit: baseline
      pod-security.kubernetes.io/audit-version: v1.25
      pod-security.kubernetes.io/enforce: baseline
      pod-security.kubernetes.io/enforce-version: v1.25
      pod-security.kubernetes.io/warn: baseline
      pod-security.kubernetes.io/warn-version: v1.25
    name: openshift-marketplace
...
- apiVersion: v1
  kind: Namespace
  metadata:
    ...
    labels:
      ...
      pod-security.kubernetes.io/enforce: restricted
      pod-security.kubernetes.io/enforce-version: v1.24
    name: openshift-operator-lifecycle-manager
...
- apiVersion: v1
  kind: Namespace
  metadata:
    ...
    labels:
      kubernetes.io/metadata.name: openshift-operators
      openshift.io/scc: ""
      pod-security.kubernetes.io/enforce: privileged
      pod-security.kubernetes.io/enforce-version: v1.24
    name: openshift-operators
...

      Expected results:

      Like OCPBUGS-41849 sets "pod-security.kubernetes.io/*-version" to "latest" starting 4.17, the openshift-operator-lifecycle-manager and openshift-marketplace namespaces should not still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively.

      For the openshift-operators namespace, let's mention it too here, it still uses v1.24. In despite of https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/2579-psp-replacement/README.md#versioning saying "The privileged profile always means fully unconstrained and is effectively unversioned (specifying a version is allowed but ignored)", it is better to not specify v1.24.

      Additional info:

              lmohanty@redhat.com Lalatendu Mohanty
              xxia-1 Xingxing Xia
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: