Bug 2095716

Summary: New PSA component for Pod Security Standards enforcement is refusing openshift-operators ns
Product: OpenShift Container Platform Reporter: Camila Macedo <cmacedo>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: Yash Tripathi <ytripath>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.11CC: mfojtik, surbania
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.11.0 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 11:17:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: 4.11.0
Embargoed:

Description Camila Macedo 2022-06-10 11:03:22 UTC 
Description of problem:

This BZ regards the initiative to enable pod security admission with a restricted profile by default. More info: https://lists.corp.redhat.com/archives/aos-devel/2022-May/000798.html

As part of this effort, a new component (Pod Security Admission Autolabeling) was created with permission restrictions that align with the permissions of the SAs in the namespace (by default only when the namespaces name are not prefixed with "openshift-")

⚠️ However, this logic cannot be applied to system namespaces that are managed as part of the OCP payload. The list of namespaces is tracked in the code: https://github.com/openshift/cluster-policy-controller/blob/master/pkg/psalabelsyncer/podsecurity_label_sync_controller.go#L40-L110 and one of them is the openshift-operators namespace.

As discussed OCP/OLM uses this namespace to install Operators so that should be an exception to the rule and should not be in this list. Then, we are able to set the annotation security.openshift.io/scc.podSecurityLabelSync with the value true via a new planned OLM component to mitigate the impact on the users.
Comment 1 Camila Macedo 2022-06-10 11:19:35 UTC 
PR: https://github.com/openshift/cluster-policy-controller/pull/79
Comment 5 Yash Tripathi 2022-06-17 14:06:40 UTC 
Verified on Cluster version is 4.11.0-0.nightly-2022-06-15-222801
Using the following steps:

1. oc get ns openshift-operators -o yaml
...  
labels:
    kubernetes.io/metadata.name: openshift-operators
    openshift.io/scc: anyuid
...
2. oc label ns openshift-operators security.openshift.io/scc.podSecurityLabelSync="true"
namespace/openshift-operators labeled

3. oc get ns openshift-operators -o yaml
...
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: v1.24
    security.openshift.io/scc.podSecurityLabelSync: "true"
...

4. oc label ns openshift-operators security.openshift.io/scc.podSecurityLabelSync="false" --overwrite
namespace/openshift-operators labeled

5. oc adm policy add-scc-to-user privileged -z default -n openshift-operators --context admin
clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "default"

6. oc get ns openshift-operators -o yaml --context=admin
...
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/warn: restricted
    pod-security.kubernetes.io/warn-version: v1.24
    security.openshift.io/scc.podSecurityLabelSync: "false"
...

7. oc label ns openshift-operators security.openshift.io/scc.podSecurityLabelSync="true"  --overwrite --context=admin
namespace/openshift-operators unlabeled

8. oc get ns openshift-operators -o yaml --context=admin
...
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/audit-version: v1.24
    pod-security.kubernetes.io/warn: privileged
    pod-security.kubernetes.io/warn-version: v1.24
    security.openshift.io/scc.podSecurityLabelSync: "true"
...
Expected: openshift-operators will only sync if specifically opted in
The openshift-operators namespace was labeled as expected, moving to Verified
Comment 6 errata-xmlrpc 2022-08-10 11:17:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069