This is not a real bug but a placeholder to disable the PodSecurity feature gate for 4.10.
reviewed-in-sprint: this is supposed to stay open until we have finalized the investigation.
Iām adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
> This is not a real bug but a placeholder To know the feature deeper which may be enabled again in future release, will need read https://kubernetes.io/docs/concepts/security/pod-security-standards/ .
verified in 4.10.0-0.nightly-2021-12-23-153012 by the following steps: 1. Got current kube-apiserver config using oc cp -n openshift-kube-apiserver -c kube-apiserver kube-apiserver-ip-<>.us-east-2.compute.internal:/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml ./config.copy.yaml 2. Created a priviledged pod, no warning comes up, meaning that PodSecurity is disabled, as we can also verify from the config 3. Ran oc edit kubeapiserver cluster and added enable-admission-plugins section in unsupportedConfigOverrides 4. Waited for the openshift-kube-apiserver pod rotation to complete 5. Created priviledged pod and got warning W1229 01:06:26.389488 20168 warnings.go:70] would violate "latest" version of "baseline" PodSecurity profile: privileged (container "hello-nginx-docker-pod" must not set securityContext.privileged=true) pod/hello-nginx-docker-1 created Observation: PodSecurity is disabled by default thus moving the bug to verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056