Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54716

Cluster Compare - Multiple templates use MinimallySufficientPodSecurityStandard: privileged

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.19.0
    • GitOps ZTP
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • cluster-compare sprint 271, cluster-compare sprint 273
    • 2
    • In Progress
    • Release Note Not Required
    • None
    • None
    • None
    • None
    • None

      Description of problem:

          Cluster compare tool reports that multiple templates still use security.openshift.io/MinimallySufficientPodSecurityStandard: privileged parameter

      Version-Release number of selected component (if applicable):

          4.19.0-ec.4
          registry-proxy.engineering.redhat.com/rh-osbs/openshift4-ztp-site-generate:v4.19.0-44

      How reproducible:

          100%

      Steps to Reproduce:

          1. Deploy cluster
          2. Run cluster compare    

      Actual results:

          Differences found in CR: v1_Namespace_openshift-local-storage, Compared To Reference CR: optional/local-storage-operator/StorageNS.yaml
      diff -u -N /tmp/MERGED-3395614370/v1_namespace_openshift-local-storage /tmp/LIVE-3436458708/v1_namespace_openshift-local-storage
      --- /tmp/MERGED-3395614370/v1_namespace_openshift-local-storage	2025-03-31 20:07:37.473991790 -0400
      +++ /tmp/LIVE-3436458708/v1_namespace_openshift-local-storage	2025-03-31 20:07:37.473991790 -0400
      @@ -2,5 +2,6 @@
       kind: Namespace
       metadata:
         annotations:
      +    security.openshift.io/MinimallySufficientPodSecurityStandard: privileged
           workload.openshift.io/allowed: management
         name: openshift-local-storage
      
      ---
      
      Differences found in CR: v1_Namespace_openshift-logging, Compared To Reference CR: required/cluster-logging/ClusterLogNS.yaml
      diff -u -N /tmp/MERGED-964051070/v1_namespace_openshift-logging /tmp/LIVE-3583522758/v1_namespace_openshift-logging
      --- /tmp/MERGED-964051070/v1_namespace_openshift-logging	2025-03-31 20:07:37.476991847 -0400
      +++ /tmp/LIVE-3583522758/v1_namespace_openshift-logging	2025-03-31 20:07:37.476991847 -0400
      @@ -2,6 +2,7 @@
       kind: Namespace
       metadata:
         annotations:
      +    security.openshift.io/MinimallySufficientPodSecurityStandard: privileged
           workload.openshift.io/allowed: management
         labels:
           openshift.io/cluster-monitoring: "true"
      
      ---
      
      Differences found in CR: v1_Namespace_openshift-ptp, Compared To Reference CR: required/ptp-operator/PtpSubscriptionNS.yaml
      diff -u -N /tmp/MERGED-91811619/v1_namespace_openshift-ptp /tmp/LIVE-4089297496/v1_namespace_openshift-ptp
      --- /tmp/MERGED-91811619/v1_namespace_openshift-ptp	2025-03-31 20:07:37.483991981 -0400
      +++ /tmp/LIVE-4089297496/v1_namespace_openshift-ptp	2025-03-31 20:07:37.483991981 -0400
      @@ -2,6 +2,7 @@
       kind: Namespace
       metadata:
         annotations:
      +    security.openshift.io/MinimallySufficientPodSecurityStandard: privileged
           workload.openshift.io/allowed: management
         labels:
           openshift.io/cluster-monitoring: "true"
      
      ---
      
      Differences found in CR: v1_Namespace_openshift-sriov-network-operator, Compared To Reference CR: required/sriov-operator/SriovSubscriptionNS.yaml
      diff -u -N /tmp/MERGED-297422610/v1_namespace_openshift-sriov-network-operator /tmp/LIVE-3542747904/v1_namespace_openshift-sriov-network-operator
      --- /tmp/MERGED-297422610/v1_namespace_openshift-sriov-network-operator	2025-03-31 20:07:37.486992039 -0400
      +++ /tmp/LIVE-3542747904/v1_namespace_openshift-sriov-network-operator	2025-03-31 20:07:37.486992039 -0400
      @@ -2,5 +2,6 @@
       kind: Namespace
       metadata:
         annotations:
      +    security.openshift.io/MinimallySufficientPodSecurityStandard: privileged
           workload.openshift.io/allowed: management
         name: openshift-sriov-network-operator

      Expected results:

          No deviation should be reported by either updating the template or reference

      Additional info:

          Original issue was discovered based on source-crs from openshift4-ztp-site-generate:v4.19.0-36, but openshift4-ztp-site-generate:v4.19.0-44 (latest at the time of opening) shows no changes to the mentioned templates

       

              jramsay1@redhat.com Jim Ramsay
              agurenko@redhat.com Alexander Gurenko
              None
              None
              Dwaine Gonyier Dwaine Gonyier
              None
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: