Bug 2046157

Summary: Still uses pod-security.admission.config.k8s.io/v1alpha1 in admission plugin config
Product: OpenShift Container Platform Reporter: Xingxing Xia <xxia>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: Yash Tripathi <ytripath>
Severity: low Docs Contact:
Priority: medium    
Version: 4.10CC: aos-bugs, mfojtik, surbania
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 10:43:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Xingxing Xia 2022-01-26 10:18:49 UTC 
Description of problem:
Latest 4.10 is k8s 1.23 rebased, and PodSecurity is promoted to beta in k8s 1.23, but latest 4.10 still displays old apiVersion for it. If we would update it in 4.10, pls go ahead. If we would not like to update it due to intentional bug 2008462, we should create this bug to track it for 4.11.

Version-Release number of selected component (if applicable):
$ oc version
...
Server Version: 4.10.0-0.nightly-2022-01-25-023600
Kubernetes Version: v1.23.0+06791f6

How reproducible:
Always

Steps to Reproduce:
1.
$ oc extract cm/config -n openshift-kube-apiserver --confirm
config.yaml

2.
$ jq '' config.yaml > config.json

3.
$ cat config.json
{
  "admission": {
    "pluginConfig": {
      "PodSecurity": {
        "configuration": {
          "apiVersion": "pod-security.admission.config.k8s.io/v1alpha1",
          "defaults": {
            "audit": "baseline",
            "audit-version": "latest",
            "enforce": "privileged",
            "enforce-version": "latest",
            "warn": "baseline",
            "warn-version": "latest"
          },
          "kind": "PodSecurityConfiguration"
        }
      }
...

Actual results:
3. It shows old v1alpha1 apiVersion

Expected results:
3. It should not show old v1alpha1 apiVersion. Because https://kubernetes.io/docs/concepts/security/pod-security-admission/ says:
In v1.23, the PodSecurity feature gate is a Beta feature and is enabled by default.
In v1.22, the PodSecurity feature gate is an Alpha feature

Additional info:
Comment 1 Sergiusz Urbaniak 2022-02-10 12:05:53 UTC 
This fits into the pod security admission story, reassigning to standa.
Comment 3 Standa Laznicka 2022-06-30 09:31:53 UTC 
This was actually fixed long time ago in https://github.com/openshift/cluster-kube-apiserver-operator/pull/1308
Comment 4 Xingxing Xia 2022-06-30 09:47:31 UTC 
Yeah, thx for revisiting. Moving to VERIFIED.
Comment 6 errata-xmlrpc 2022-08-10 10:43:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069