Bug 1919443 - 4.7 kata operator will mutate pods in other namespaces that don't have kata-webhook installed
Summary: 4.7 kata operator will mutate pods in other namespaces that don't have kata-w...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: sandboxed-containers
Version: 4.7
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: ---
Assignee: Snir Sheriber
QA Contact: Cameron Meadors
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-22 20:46 UTC by Peter Ruan
Modified: 2022-09-21 08:27 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-09-21 08:27:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Peter Ruan 2021-01-22 20:46:50 UTC 
Description of problem:
4.7 kata operator will mutate pods in other namespaces that don't have kata-webhook installed

install kata operator 4.7
create new project `foo`
install kata-webhook for ns foo
create a pod...it should mutate it to have `kata` as runtime
create new project `bar`
within the new project, create the same pod as step #4 without installing the kata-webhook
do `oc get pod xxx -o yaml | grep kata` and see that `kata` is the runtime for the pod in the project `bar` even though there is not kata-webhook installed in it.

Version-Release number of selected component (if applicable):
kata-operator 4.7

How reproducible:
always

Steps to Reproduce:
see above description of the problem

Actual results:
kata runtime is enabled for pods in projects that don't have the kata-webhook.

Expected results:
kata runtime is enabled only if the user input yaml has it specified or kata-webhook in installed in the namespace.

Additional info:
Comment 3 Jens Freimann 2022-09-21 08:27:27 UTC 
Problem was solved in some other issue.
Note You need to log in before you can comment on or make changes to this bug.