Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-56773

Disable PSA for 4.19

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Critical
    • Yes
    • None
    • Approved
    • None
    • In Progress
    • Release Note Not Required
    • None
    • None
    • None
    • None
    • None

      Description of problem:

         PSA is enabled in 4.19

      Version-Release number of selected component (if applicable):

          4.19.0-rc

      How reproducible:

      Always

      Steps to Reproduce:

          1. Create a namespace
    2. pod-security.kubernetes.io/enforce is being set

and

    1. Run: oc -n openshift-kube-apiserver get cm config -ojson | jq .data | rg config | awk '{ print $2 }' | sed 's/\\//g' | sed 's/"$//g' | sed 's/^"//g' | jq '.admission.pluginConfig.PodSecurity.configuration.defaults'    

      Actual results:

          pod-security.kubernetes.io/enforce is being set

and

{
  "audit": "restricted",
  "audit-version": "latest",
  "enforce": "restricted",
  "enforce-version": "latest",
  "warn": "restricted",
  "warn-version": "latest"
}

      Expected results:

          pod-security.kubernetes.io/enforce should not be set

or 

{
  "audit": "restricted",
  "audit-version": "latest",
  "enforce": "privileged",
  "enforce-version": "latest",
  "warn": "restricted",
  "warn-version": "latest"
}

      Additional info:

          We need to disable the feature flag.

              kostrows@redhat.com Krzysztof Ostrowski
              kostrows@redhat.com Krzysztof Ostrowski
              None
              None
              Ying Zhou Ying Zhou
              None
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: