Bug 2002539

Summary: (release-4.7) Gather PodSecurityPolicies names installed in a cluster
Product: OpenShift Container Platform Reporter: Tomas Remes <tremes>
Component: Insights OperatorAssignee: Tomas Remes <tremes>
Status: CLOSED ERRATA QA Contact: Dmitry Misharov <dmisharo>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.7CC: aos-bugs, dmisharo, inecas, mklika, tremes
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2001457 Environment:
Last Closed: 2021-10-12 19:51:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2001457    
Bug Blocks:    

Comment 2 Dmitry Misharov 2021-09-24 12:10:30 UTC 
I return the status back to POST because the backport was not correct.
Comment 4 Dmitry Misharov 2021-09-27 07:45:32 UTC 
Verified on 4.7.0-0.ci-2021-09-27-015029.
Verification steps:

1. cat psp.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  annotations:
    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
  name: next-psp-name
spec:
  # default set of capabilities are implicitly allowed
  allowedCapabilities: []
  allowPrivilegeEscalation: false
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  hostIPC: false
  hostNetwork: false
  hostPID: false
  privileged: false
  readOnlyRootFilesystem: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  volumes:
  - 'configMap'
  - 'downwardAPI'
  - 'emptyDir'
  - 'persistentVolumeClaim'
  - 'projected'
  - 'secret'
  hostPorts:
  - min: 0
    max: 0
2. oc apply -f psp.yaml
3. oc delete pod insights-operator-<some name>
4. download the archive 
oc rsync insights-operator-<some name>:/var/lib/insights-operator/insights-<date>.tar.gz /tmp
5. check if config/psp_names.json exists and has the right content
Comment 7 errata-xmlrpc 2021-10-12 19:51:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.33 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:3686