Description of problem: This BZ regards the initiative to enable pod security admission with a restricted profile by default. More info: https://lists.corp.redhat.com/archives/aos-devel/2022-May/000798.html As part of this effort, a new component (Pod Security Admission Autolabeling) was created with permission restrictions that align with the permissions of the SAs in the namespace (by default only when the namespaces name are not prefixed with "openshift-") ⚠️ However, this logic cannot be applied to system namespaces that are managed as part of the OCP payload. The list of namespaces is tracked in the code: https://github.com/openshift/cluster-policy-controller/blob/master/pkg/psalabelsyncer/podsecurity_label_sync_controller.go#L40-L110 and one of them is the openshift-operators namespace. As discussed OCP/OLM uses this namespace to install Operators so that should be an exception to the rule and should not be in this list. Then, we are able to set the annotation security.openshift.io/scc.podSecurityLabelSync with the value true via a new planned OLM component to mitigate the impact on the users.
PR: https://github.com/openshift/cluster-policy-controller/pull/79
Verified on Cluster version is 4.11.0-0.nightly-2022-06-15-222801 Using the following steps: 1. oc get ns openshift-operators -o yaml ... labels: kubernetes.io/metadata.name: openshift-operators openshift.io/scc: anyuid ... 2. oc label ns openshift-operators security.openshift.io/scc.podSecurityLabelSync="true" namespace/openshift-operators labeled 3. oc get ns openshift-operators -o yaml ... pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: v1.24 pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: v1.24 security.openshift.io/scc.podSecurityLabelSync: "true" ... 4. oc label ns openshift-operators security.openshift.io/scc.podSecurityLabelSync="false" --overwrite namespace/openshift-operators labeled 5. oc adm policy add-scc-to-user privileged -z default -n openshift-operators --context admin clusterrole.rbac.authorization.k8s.io/system:openshift:scc:privileged added: "default" 6. oc get ns openshift-operators -o yaml --context=admin ... pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: v1.24 pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: v1.24 security.openshift.io/scc.podSecurityLabelSync: "false" ... 7. oc label ns openshift-operators security.openshift.io/scc.podSecurityLabelSync="true" --overwrite --context=admin namespace/openshift-operators unlabeled 8. oc get ns openshift-operators -o yaml --context=admin ... pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/audit-version: v1.24 pod-security.kubernetes.io/warn: privileged pod-security.kubernetes.io/warn-version: v1.24 security.openshift.io/scc.podSecurityLabelSync: "true" ... Expected: openshift-operators will only sync if specifically opted in The openshift-operators namespace was labeled as expected, moving to Verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069