-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.19
-
Critical
-
None
-
Proposed
-
False
-
-
Release Note Not Required
-
In Progress
This is a clone of issue OCPBUGS-56777. The following is the description of the original issue:
—
Description of problem:
PSA is decided to be disabled in 4.19
Version-Release number of selected component (if applicable):
4.19.0-rc
How reproducible:
Always
Steps to Reproduce:
1. Create a namespace in an **hypershift hosted cluster** and check pod-security.kubernetes.io/enforce
$ oc new-project xxia-test
$ oc get ns xxia-test -o yaml
...
labels:
kubernetes.io/metadata.name: xxia-test
pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: restricted
pod-security.kubernetes.io/warn-version: latest
2. Check global setting in the hypershift mgmt cluster
$ oc get --kubeconfig=$MGMT_KUBECONFIG cm/kas-config -n clusters-$HC_NAME -ojsonpath='{.data.config\.json}' | jq '.admission.pluginConfig.PodSecurity'
{
"location": "",
"configuration": {
"kind": "PodSecurityConfiguration",
"apiVersion": "pod-security.admission.config.k8s.io/v1beta1",
"defaults": {
"enforce": "restricted",
"enforce-version": "latest",
"audit": "restricted",
"audit-version": "latest",
"warn": "restricted",
"warn-version": "latest"
},
"exemptions": {
"usernames": [
"system:serviceaccount:openshift-infra:build-controller"
]
}
}
}
Actual results:
1. pod-security.kubernetes.io/enforce is being set "restricted"
2. Global setting enforces "restricted"
Expected results:
1. pod-security.kubernetes.io/enforce should not be set
2. Global setting should not enforce "restricted"
Additional info:
We need to disable the feature flag.
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
-
RHEA-2024:11038
OpenShift Container Platform 4.19.z bug fix update