Bug 2008462

Summary:	Disable PodSecurity feature gate for 4.10
Product:	OpenShift Container Platform	Reporter:	Sergiusz Urbaniak <surbania>
Component:	apiserver-auth	Assignee:	Sergiusz Urbaniak <surbania>
Status:	CLOSED ERRATA	QA Contact:	Yash Tripathi <ytripath>
Severity:	high	Docs Contact:
Priority:	high
Version:	4.10	CC:	aos-bugs, mfojtik, surbania, xxia
Target Milestone:	---
Target Release:	4.10.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-03-10 16:13:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Sergiusz Urbaniak 2021-09-28 10:09:31 UTC

This is not a real bug but a placeholder to disable the PodSecurity feature gate for 4.10.

Comment 1 Sergiusz Urbaniak 2021-11-08 06:57:07 UTC

reviewed-in-sprint: this is supposed to stay open until we have finalized the investigation.

Comment 3 Sergiusz Urbaniak 2021-11-26 07:23:15 UTC

I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 5 Xingxing Xia 2021-12-17 00:56:43 UTC

> This is not a real bug but a placeholder
To know the feature deeper which may be enabled again in future release, will need read https://kubernetes.io/docs/concepts/security/pod-security-standards/ .

Comment 7 Yash Tripathi 2021-12-28 19:38:34 UTC

verified in 4.10.0-0.nightly-2021-12-23-153012 by the following steps:

1. Got current kube-apiserver config using oc cp -n openshift-kube-apiserver -c kube-apiserver kube-apiserver-ip-<>.us-east-2.compute.internal:/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml ./config.copy.yaml
2. Created a priviledged pod, no warning comes up, meaning that PodSecurity is disabled, as we can also verify from the config
3. Ran oc edit kubeapiserver cluster and added enable-admission-plugins section in unsupportedConfigOverrides
4. Waited for the openshift-kube-apiserver pod rotation to complete
5. Created priviledged pod and got warning
W1229 01:06:26.389488   20168 warnings.go:70] would violate "latest" version of "baseline" PodSecurity profile: privileged (container "hello-nginx-docker-pod" must not set securityContext.privileged=true)
pod/hello-nginx-docker-1 created

Observation:
PodSecurity is disabled by default thus moving the bug to verified

Comment 10 errata-xmlrpc 2022-03-10 16:13:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056