Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.13.0
Component/s: apiserver-auth
Labels:
- UpdateRecommendationsBlocked
- UpgradeBlocker

Severity:
Critical
Regression:
No
Sprint:
Auth - Sprint 233
sprint_count:
1
Release Blocker:
Approved
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.13.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

We shouldn't enforce PSa in 4.13, neither by label sync, neither by global cluster config.

Version-Release number of selected component (if applicable):

4.13

How reproducible:

100%

Steps to Reproduce:

As a cluster admin:
1. create two new namespaces/projects: pokus, openshift-pokus
2. as a cluster-admin, attempt to create a privileged pod in both the namespaces from 1.

Actual results:

pod creation is blocked by pod security admission

Expected results:

only a warning about pod violating the namespace pod security level should be emitted

Additional info:

This is currently a noop for 4.14

blocks

OCPBUGS-3985 Allow PSa enforcement in 4.13 by using featuresets

Closed

clones

OCPBUGS-8709 don't enforce PSa in 4.13

Closed

is blocked by

OCPBUGS-8709 don't enforce PSa in 4.13

Closed

OCPBUGS-10353 kube-apiserver not receiving or processing shutdown signal after coreos 9.2 bump

Closed

is cloned by

OCPBUGS-16726 [4.14] don't enforce PSa in 4.14

Closed

is related to

AUTH-351 Impact don't enforce PSa in 4.13

Closed

is triggered by

OCPBUGS-3663 don't enforce PSa in 4.12

Closed

relates to

JBEAP-24518 Operator isn't compatible with new security standards in upcoming OCP

Closed

links to

openshift/api#1422: [4.13] OCPBUGS-8710: make PSa logging again

openshift/cluster-config-operator#290: [4.13] OCPBUGS-8710: bump o/api for the updated featureflags

openshift/cluster-kube-apiserver-operator#1463: [4.13] OCPBUGS-8710: turn PSa to logging mode by default again

openshift/cluster-kube-controller-manager-operator#711: [4.13] OCPBUGS-8710: Move PSa back to logging

openshift/cluster-policy-controller#106: [4.13] OCPBUGS-8710: psalabelsyncer: invert the enforce/log logic to default to logging

(1 is related to, 1 is triggered by, 1 relates to, 5 links to)

Assignee:: Stanislav Láznička (Inactive)

Reporter:: Stanislav Láznička (Inactive)

QA Contact:: Zimo Xiao (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 19 Start watching this issue

Created:: 2023/03/08 3:35 PM

Updated:: 2024/04/29 5:04 PM

Resolved:: 2023/05/17 10:43 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates