Bug 2008462 - Disable PodSecurity feature gate for 4.10
Summary: Disable PodSecurity feature gate for 4.10
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.10
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.0
Assignee: Sergiusz Urbaniak
QA Contact: Yash Tripathi
Depends On:
TreeView+ depends on / blocked
Reported: 2021-09-28 10:09 UTC by Sergiusz Urbaniak
Modified: 2022-03-10 16:14 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-03-10 16:13:54 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-kube-apiserver-operator pull 1262 0 None open [WIP] Bug 2008462: config: disable restricted pod security 2021-11-30 13:08:54 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:14:14 UTC

Description Sergiusz Urbaniak 2021-09-28 10:09:31 UTC
This is not a real bug but a placeholder to disable the PodSecurity feature gate for 4.10.

Comment 1 Sergiusz Urbaniak 2021-11-08 06:57:07 UTC
reviewed-in-sprint: this is supposed to stay open until we have finalized the investigation.

Comment 3 Sergiusz Urbaniak 2021-11-26 07:23:15 UTC
Iā€™m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.

Comment 5 Xingxing Xia 2021-12-17 00:56:43 UTC
> This is not a real bug but a placeholder
To know the feature deeper which may be enabled again in future release, will need read https://kubernetes.io/docs/concepts/security/pod-security-standards/ .

Comment 7 Yash Tripathi 2021-12-28 19:38:34 UTC
verified in 4.10.0-0.nightly-2021-12-23-153012 by the following steps:

1. Got current kube-apiserver config using oc cp -n openshift-kube-apiserver -c kube-apiserver kube-apiserver-ip-<>.us-east-2.compute.internal:/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml ./config.copy.yaml
2. Created a priviledged pod, no warning comes up, meaning that PodSecurity is disabled, as we can also verify from the config
3. Ran oc edit kubeapiserver cluster and added enable-admission-plugins section in unsupportedConfigOverrides
4. Waited for the openshift-kube-apiserver pod rotation to complete
5. Created priviledged pod and got warning
W1229 01:06:26.389488   20168 warnings.go:70] would violate "latest" version of "baseline" PodSecurity profile: privileged (container "hello-nginx-docker-pod" must not set securityContext.privileged=true)
pod/hello-nginx-docker-1 created

PodSecurity is disabled by default thus moving the bug to verified

Comment 10 errata-xmlrpc 2022-03-10 16:13:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.