-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.19, 4.20, 4.21
-
None
-
None
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
When creating a Namespace resource including one or more pre-defined "openshift.io"-prefixed annotations (such as "openshift.io/sa.scc.uid-range"), the remaining missing annotations will not be added by the cluster-policy-controller. As a result, pods in such namespaces cannot be created: 3s Warning FailedCreate deploymentconfig/postgresql Error creating deployer pod: pods "postgresql-1-deploy" is forbidden: error fetching namespace "test-annotations-2": unable to find annotation openshift.io/sa.scc.mcs
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Create a namespace using, e.g., the following manifest:
oc create -f - << EOF
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/sa.scc.uid-range: 1000930000/10000
name: test
EOF
2. On the cluster, note the missing "openshift.io"-prefixed annotations on the namespace:
$ oc get namespace test -o yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/sa.scc.uid-range: 1000930000/10000
security.openshift.io/MinimallySufficientPodSecurityStandard: restricted
creationTimestamp: "2026-01-29T11:06:08Z"
labels:
kubernetes.io/metadata.name: test
...
Actual results:
The namespace only has the pre-defined "openshift.io/sa.scc.uid-range" annotation. Annotations - openshift.io/description - openshift.io/display-name - openshift.io/requester - openshift.io/sa.scc.mcs - openshift.io/sa.scc.supplemental-groups are missing.
Expected results:
The other missing annotations are added to the namespace.
Additional info:
There's certain usecases that need this functionality, such as the one described here: https://access.redhat.com/articles/7131840#prepare-namespace
