Several weeks ago, admin do not need label pod-security for ns default to create pods under default project. In the latest 4.12 version, admin has to label pod-security for ns default, this change cause https://issues.redhat.com/browse/OCPQE-11927.

4.12.0-0.nightly-2022-09-07-073522

Always

[weliang@weliang ~]$ oc get clusterversionNAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUSversion   4.12.0-0.nightly-2022-09-02-115151   True        False         26m     Cluster version is 4.12.0-0.nightly-2022-09-02-115151[weliang@weliang ~]$ oc project defaultNow using project "default" on server "https://api.weliang-97c.qe.gcp.devcluster.openshift.com:6443".[weliang@weliang ~]$ oc create -f /home/weliang/Documents/RedHat/Documents/Github/Features/Pod/non-security-pod.yamlError from server (Forbidden): error when creating "/home/weliang/Documents/RedHat/Documents/Github/Features/Pod/non-security-pod.yaml": pods "red-pod-1" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "red-pod-container" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "red-pod-container" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "red-pod-container" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "red-pod-container" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")[weliang@weliang ~]$ oc create -f /home/weliang/Documents/RedHat/Documents/Github/Features/Pod/security-pod.yamlpod/blue-pod created[weliang@weliang ~]$ oc get podNAME       READY   STATUS                       RESTARTS   AGEblue-pod   0/1     CreateContainerConfigError   0          7s[weliang@weliang ~]$ oc describe pod blue-podName:         blue-podNamespace:    defaultPriority:     0Node:         weliang-97c-pzhjc-worker-c-qz4jv.c.openshift-qe.internal/10.0.128.4Start Time:   Wed, 07 Sep 2022 14:03:21 -0400Labels:       name=blue-openshiftAnnotations:  k8s.v1.cni.cncf.io/network-status:                [{                    "name": "openshift-sdn",                    "interface": "eth0",                    "ips": [                        "10.131.0.19"                    ],                    "default": true,                    "dns": {}                }]              k8s.v1.cni.cncf.io/networks-status:                [{                    "name": "openshift-sdn",                    "interface": "eth0",                    "ips": [                        "10.131.0.19"                    ],                    "default": true,                    "dns": {}                }]              seccomp.security.alpha.kubernetes.io/pod: runtime/defaultStatus:       PendingIP:           10.131.0.19IPs:  IP:  10.131.0.19Containers:  blue-pod-container:    Container ID:       Image:          quay.io/openshifttest/hello-sdn@sha256:d5785550cf77b7932b090fcd1a2625472912fb3189d5973f177a5a2c347a1f95    Image ID:           Ports:          8080/TCP, 443/TCP    Host Ports:     0/TCP, 0/TCP    State:          Waiting      Reason:       CreateContainerConfigError    Ready:          False    Restart Count:  0    Environment:      RESPONSE:  Hello blue-pod    Mounts:      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-6tjct (ro)Conditions:  Type              Status  Initialized       True   Ready             False   ContainersReady   False   PodScheduled      True Volumes:  kube-api-access-6tjct:    Type:                    Projected (a volume that contains injected data from multiple sources)    TokenExpirationSeconds:  3607    ConfigMapName:           kube-root-ca.crt    ConfigMapOptional:       <nil>    DownwardAPI:             true    ConfigMapName:           openshift-service-ca.crt    ConfigMapOptional:       <nil>QoS Class:                   BestEffortNode-Selectors:              <none>Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300sEvents:  Type     Reason          Age                From               Message  ----     ------          ----               ----               -------  Normal   Scheduled       16s                default-scheduler  Successfully assigned default/blue-pod to weliang-97c-pzhjc-worker-c-qz4jv.c.openshift-qe.internal by weliang-97c-pzhjc-master-1.c.openshift-qe.internal  Normal   AddedInterface  15s                multus             Add eth0 [10.131.0.19/23] from openshift-sdn  Normal   Pulling         15s                kubelet            Pulling image "quay.io/openshifttest/hello-sdn@sha256:d5785550cf77b7932b090fcd1a2625472912fb3189d5973f177a5a2c347a1f95"  Normal   Pulled          11s                kubelet            Successfully pulled image "quay.io/openshifttest/hello-sdn@sha256:d5785550cf77b7932b090fcd1a2625472912fb3189d5973f177a5a2c347a1f95" in 3.152679899s  Warning  Failed          11s (x2 over 11s)  kubelet            Error: container has runAsNonRoot and image will run as root (pod: "blue-pod_default(31c21297-f959-4d06-8a4f-95f7464dcb23)", container: blue-pod-container)  Normal   Pulled          11s                kubelet            Container image "quay.io/openshifttest/hello-sdn@sha256:d5785550cf77b7932b090fcd1a2625472912fb3189d5973f177a5a2c347a1f95" already present on machine[weliang@weliang ~]$ [weliang@weliang ~]$ oc new-project testNow using project "test" on server "https://api.weliang-97c.qe.gcp.devcluster.openshift.com:6443".
You can add applications to this project with the 'new-app' command. For example, try:
    oc new-app rails-postgresql-example
to build a new example application in Ruby. Or use kubectl to deploy a simple Kubernetes application:
    kubectl create deployment hello-node --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 -- /agnhost serve-hostname
[weliang@weliang ~]$ oc create -f /home/weliang/Documents/RedHat/Documents/Github/Features/Pod/non-security-pod.yamlError from server (Forbidden): error when creating "/home/weliang/Documents/RedHat/Documents/Github/Features/Pod/non-security-pod.yaml": pods "red-pod-1" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "red-pod-container" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "red-pod-container" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "red-pod-container" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "red-pod-container" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")[weliang@weliang ~]$ oc create -f /home/weliang/Documents/RedHat/Documents/Github/Features/Pod/security-pod.yamlpod/blue-pod created[weliang@weliang ~]$ oc get podNAME       READY   STATUS    RESTARTS   AGEblue-pod   1/1     Running   0          9s[weliang@weliang ~]$ [weliang@weliang ~]$ [weliang@weliang ~]$ oc project defaultNow using project "default" on server "https://api.weliang-97c.qe.gcp.devcluster.openshift.com:6443".[weliang@weliang ~]$ oc label ns default security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwritenamespace/default labeled[weliang@weliang ~]$ oc get podNAME       READY   STATUS                       RESTARTS   AGEblue-pod   0/1     CreateContainerConfigError   0          2m15s[weliang@weliang ~]$ oc delete pod blue-podpod "blue-pod" deleted[weliang@weliang ~]$ [weliang@weliang ~]$ oc create -f /home/weliang/Documents/RedHat/Documents/Github/Features/Pod/non-security-pod.yamlpod/red-pod-1 created[weliang@weliang ~]$ oc get podNAME        READY   STATUS    RESTARTS   AGEred-pod-1   1/1     Running   0          4s[weliang@weliang ~]$ 
 

Need label pod-security for ns default to create pods under default project

Do not need label pod-security for ns default to create pods under default project