Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7267

[AUTH-262 epic story] [Enhancement] Modify the PSa pod extractor to mutate pod controller pod specs


    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • 4.14.0
    • 4.11
    • apiserver-auth
    • None
    • None
    • Auth - Sprint 232, Auth - Sprint 233, Auth - Sprint 234
    • 3
    • Rejected
    • False
    • Hide


    • When creating a pod controller (e.g. Deployment, StatefulSet), you should no longer get warning about pod security violations if the pod controller would create pods that don't violate pod security in that namespace.
    • Enhancement
    • Done

      Description of problem:

      When creating a pod controller (e.g. deployment) with pod spec that will be mutated by SCCs, the users might still get a warning about the pod not meeting given namespace pod security level.

      Version-Release number of selected component (if applicable):


      How reproducible:


      Steps to Reproduce:

      1. create a namespace with restricted PSa warning level (the default)
      2. create a deployment with a pod with an empty security context

      Actual results:

      You get a warning about the deployment's pod not meeting the NS's pod security admission requirements.

      Expected results:

      No warning if the pod for the deployment would be properly mutated by SCCs in order to fulfill the NS's pod security requirements.

      Additional info:

      originally implemented as a part of https://issues.redhat.com/browse/AUTH-337


            slaznick@redhat.com Stanislav Láznička
            slaznick@redhat.com Stanislav Láznička
            Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
            1 Vote for this issue
            11 Start watching this issue