Description of problem: When I try to add a label to an existing POD created through a deployment config the operation is rejected with the following message: The Pod "deployment-example-1-2uiqx" is invalid. spec: Forbidden: pod updates may not change fields other than `containers[*].image` or `spec.activeDeadlineSeconds` (Interestingly enough I was not able to update `containers[*].image` too, despite the message I am getting the same error) I tried with following approaches and the outcome is always the same: oc annotate pod deployment-example-1-2uiqx foo=bar oc label pod deployment-example-1-2uiqx foo=bar kubectl label pod consul-registry-1-j78l8 foo=bar oc edit pod consul-registry-1-j78l8 I expect to be able to add labels and annotations to pods even when they have been created through deployment configs (I do not observe this behavior on individual PODs), consistently with what I observed on Openshift Origin and Kubernetes. Where are you experiencing the behavior? What environment? Openshift enterprise version: oc v3.2.1.4-1-g1864c8f kubernetes v1.2.0-36-g4a3f9c5 On VMs running: Red Hat Enterprise Linux Server release 7.2 Note that I do not observe the same behavior on Openshift Origin (see below the tested version), where I' m able to add labels and annotations to PODs created by deployment configs. oc v1.2.1 kubernetes v1.2.0-36-g4a3f9c5 How reproducible: Always on customer side Steps to Reproduce: 1.mentioned in the description 2. 3. Actual results: Expected results: Additional info:
what user are you trying to annotate it with? what are the annotations on the pod? what SCC admitted the pod?
likely the same root cause as https://bugzilla.redhat.com/show_bug.cgi?id=1383707
Miheer, can you provide pod yaml, the user name that is attempting to perform the action, and the list of sccs so we can understand if its the same root issue that Jordan linked against?
*** This bug has been marked as a duplicate of bug 1383707 ***