This is not a real bug but a placeholder to disable the PodSecurity feature gate for 4.10.
reviewed-in-sprint: this is supposed to stay open until we have finalized the investigation.
I’m adding UpcomingSprint, because I was occupied by fixing bugs with higher priority/severity, developing new features with higher priority, or developing new features to improve stability at a macro level. I will revisit this bug next sprint.
> This is not a real bug but a placeholder
To know the feature deeper which may be enabled again in future release, will need read https://kubernetes.io/docs/concepts/security/pod-security-standards/ .
verified in 4.10.0-0.nightly-2021-12-23-153012 by the following steps:
1. Got current kube-apiserver config using oc cp -n openshift-kube-apiserver -c kube-apiserver kube-apiserver-ip-<>.us-east-2.compute.internal:/etc/kubernetes/static-pod-resources/configmaps/config/config.yaml ./config.copy.yaml
2. Created a priviledged pod, no warning comes up, meaning that PodSecurity is disabled, as we can also verify from the config
3. Ran oc edit kubeapiserver cluster and added enable-admission-plugins section in unsupportedConfigOverrides
4. Waited for the openshift-kube-apiserver pod rotation to complete
5. Created priviledged pod and got warning
W1229 01:06:26.389488 20168 warnings.go:70] would violate "latest" version of "baseline" PodSecurity profile: privileged (container "hello-nginx-docker-pod" must not set securityContext.privileged=true)
PodSecurity is disabled by default thus moving the bug to verified
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.