Bug 2228876

Summary: RFE: Improve logic to determine when the controller can run privileged pods
Product: Migration Toolkit for Containers Reporter: Pranav Gaikwad <pgaikwad>
Component: ControllerAssignee: John Matthews <jmatthew>
Status: NEW --- QA Contact: ssingla
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.7.8CC: rjohnson
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pranav Gaikwad 2023-08-03 13:57:55 UTC
Description of problem:
Right now, the controller only looks at the PSA labels on the source / target namespaces to make the decision of whether a privileged pod can run in the ns or not. However, in some cases, the global admission controller config can already allow running a privileged Pod even when the labels are not present on the ns. The logic should be updated to consider this case.

Version-Release number of selected component (if applicable):
1.7.8

How reproducible:
Always

Steps to Reproduce:
1. Set privileged policy as enforced at cluster level
2. Enable privileged pod setting in MigrationController
3. Do not put PSA labels on the namespace and run a migration, 

Actual results:
the migration fails at the time of running Rsync because absence of labels causes the controller to run the Pod as underprivileged. 

Expected results:
the migration should succeed as the cluster already allows running privileged pods at cluster level. 

Additional info: