Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-8710

[4.13] don't enforce PSa in 4.13

    XMLWordPrintable

Details

    • Critical
    • No
    • Auth - Sprint 233
    • 1
    • Approved
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      We shouldn't enforce PSa in 4.13, neither by label sync, neither by global cluster config.

      Version-Release number of selected component (if applicable):

      4.13

      How reproducible:

      100%

      Steps to Reproduce:

      As a cluster admin:
1. create two new namespaces/projects: pokus, openshift-pokus
2. as a cluster-admin, attempt to create a privileged pod in both the namespaces from 1.

      Actual results:

      pod creation is blocked by pod security admission

      Expected results:

      only a warning about pod violating the namespace pod security level should be emitted

      Additional info:

      This is currently a noop for 4.14

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3985 Allow PSa enforcement in 4.13 by using featuresets

          • Undefined - Priority not specified.
          • Closed
          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-8709 don't enforce PSa in 4.13

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-8709 don't enforce PSa in 4.13

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-10353 kube-apiserver not receiving or processing shutdown signal after coreos 9.2 bump

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-16726 [4.14] don't enforce PSa in 4.14

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          is related to

          Spike - Represents a research-related task. AUTH-351 Impact don't enforce PSa in 4.13

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is triggered by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-3663 don't enforce PSa in 4.12

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-24518 Operator isn't compatible with new security standards in upcoming OCP

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved
          links to

          GitHub openshift/api#1422: [4.13] OCPBUGS-8710: make PSa logging again

          GitHub openshift/cluster-config-operator#290: [4.13] OCPBUGS-8710: bump o/api for the updated featureflags

          GitHub openshift/cluster-kube-apiserver-operator#1463: [4.13] OCPBUGS-8710: turn PSa to logging mode by default again

          GitHub openshift/cluster-kube-controller-manager-operator#711: [4.13] OCPBUGS-8710: Move PSa back to logging

          GitHub openshift/cluster-policy-controller#106: [4.13] OCPBUGS-8710: psalabelsyncer: invert the enforce/log logic to default to logging

          Activity

            People

              slaznick@redhat.com Stanislav Laznicka
              slaznick@redhat.com Stanislav Laznicka
              Zimo Xiao Zimo Xiao (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              18 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: