Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-7268

[4.13] Modify the PSa pod extractor to mutate pod controller pod specs

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 4.13.0
    • 4.11
    • apiserver-auth
    • None
    • Auth - Sprint 232, Auth - Sprint 233, Auth - Sprint 234, Auth - Sprint 235
    • 4
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      When creating a pod controller (e.g. deployment) with pod spec that will be mutated by SCCs, the users might still get a warning about the pod not meeting given namespace pod security level.

      Version-Release number of selected component (if applicable):

      4.11

      How reproducible:

      100%

      Steps to Reproduce:

      1. create a namespace with restricted PSa warning level (the default)
2. create a deployment with a pod with an empty security context

      Actual results:

      You get a warning about the deployment's pod not meeting the NS's pod security admission requirements.

      Expected results:

      No warning if the pod for the deployment would be properly mutated by SCCs in order to fulfill the NS's pod security requirements.

      Additional info:

      originally implemented as a part of https://issues.redhat.com/browse/AUTH-337

       

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-11698 [4.13] Modify the PSa pod extractor to mutate pod controller pod specs

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-7267 [AUTH-262 epic story] [Enhancement] Modify the PSa pod extractor to mutate pod controller pod specs

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-7267 [AUTH-262 epic story] [Enhancement] Modify the PSa pod extractor to mutate pod controller pod specs

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-11698 [4.13] Modify the PSa pod extractor to mutate pod controller pod specs

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          links to

          GitHub openshift/apiserver-library-go#102: OCPBUGS-7268: Add SeccompProfile field if the annotation is specified

          GitHub openshift/kubernetes#1544: OCPBUGS-7268: Extractor more fixes 4.13

          Activity

            People

              slaznick@redhat.com Stanislav Laznicka
              slaznick@redhat.com Stanislav Laznicka
              Giriyamma Karagere Ramaswamy Giriyamma Karagere Ramaswamy (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: