Description of problem: All of the following labels should be present in the must-gather namespace pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged Version-Release number of selected component (if applicable): 4.11 How reproducible: Everytime Steps to Reproduce: 1.$ oc adm must-gather [must-gather ] OUT Using must-gather plug-in image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:82aa287dc11d558b9af6b261fe21b753c450649a8e8e3a7e0ef3e1440d8ec3c0 ... Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "gather", "copy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "gather", "copy" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "gather", "copy" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "gather", "copy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ... 2.$ oc get ns -o yaml openshift-must-gather-xntmj ... apiVersion: v1 kind: Namespace metadata: ... creationTimestamp: "2022-06-24T13:32:30Z" generateName: openshift-must-gather- labels: kubernetes.io/metadata.name: openshift-must-gather-xntmj openshift.io/run-level: "0" pod-security.kubernetes.io/enforce: privileged name: openshift-must-gather-xntmj ... Actual results: Currently only the following label is seen … pod-security.kubernetes.io/enforce: privileged … This throws a warning which confuses users as the “pod-security.kubernetes.io/warn: privileged” label is not present It also does not have “pod-security.kubernetes.io/audit: privileged” label which causes it to not match the expression at https://github.com/openshift/cluster-kube-apiserver-operator/blob/ff87de97de70b6d373a10cccc084497e44ec9bf3/bindata/assets/alerts/podsecurity-violations.yaml#L21, hence can lead to incorrect metrics Expected results: Labels should be … pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged … Additional info:
Verified on Client Version: 4.12.0-0.nightly-2022-07-06-221008 Kustomize Version: v4.5.4 Server Version: 4.12.0-0.nightly-2022-07-06-221008 1. $ oc adm must-gather 2. $ oc get ns openshift-must-gather-2nbjs -o yaml Actual results: Labels are ... openshift.io/run-level: "0" pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged ... Expected results: Labels should be … pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged … moving to Verified
"pod-security.kubernetes.io/warn: privileged" label is present now Labels are ... pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged ... Expected results: Labels should be … pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged …
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399