Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2104589

Summary: must-gather namespace should have “privileged” warn and audit pod security labels besides enforce
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: ocAssignee: Arda Guclu <aguclu>
oc sub component: oc QA Contact: zhou ying <yinzhou>
Status: CLOSED ERRATA Docs Contact: Arda Guclu <aguclu>
Severity: high    
Priority: unspecified CC: jchaloup, mfojtik
Version: 4.11   
Target Milestone: ---   
Target Release: 4.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-10 11:20:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2103126    
Bug Blocks:    

Description OpenShift BugZilla Robot 2022-07-06 16:31:43 UTC 
+++ This bug was initially created as a clone of Bug #2103126 +++

Description of problem:
All of the following labels should be present in the must-gather namespace
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged

Version-Release number of selected component (if applicable):
4.11

How reproducible:
Everytime


Steps to Reproduce:
1.$ oc adm must-gather
[must-gather      ] OUT Using must-gather plug-in image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:82aa287dc11d558b9af6b261fe21b753c450649a8e8e3a7e0ef3e1440d8ec3c0
...
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "gather", "copy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "gather", "copy" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "gather", "copy" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "gather", "copy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
...
2.$ oc get ns -o yaml openshift-must-gather-xntmj
...
apiVersion: v1
kind: Namespace
metadata:
...
  creationTimestamp: "2022-06-24T13:32:30Z"
  generateName: openshift-must-gather-
  labels:
    kubernetes.io/metadata.name: openshift-must-gather-xntmj
    openshift.io/run-level: "0"
    pod-security.kubernetes.io/enforce: privileged
  name: openshift-must-gather-xntmj
...

Actual results:
Currently only the following label is seen
…
    pod-security.kubernetes.io/enforce: privileged
…
This throws a warning which confuses users as the “pod-security.kubernetes.io/warn: privileged” label is not present
It also does not have “pod-security.kubernetes.io/audit: privileged” label which causes it to not match the expression at https://github.com/openshift/cluster-kube-apiserver-operator/blob/ff87de97de70b6d373a10cccc084497e44ec9bf3/bindata/assets/alerts/podsecurity-violations.yaml#L21, hence can lead to incorrect metrics

Expected results:
Labels should be
…
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
…

Additional info:
Comment 3 zhou ying 2022-07-08 12:45:20 UTC 
checked with latest oc , can't reproduce the issue now:

[root@localhost ~]# oc get namespace/openshift-must-gather-75wrl -o yaml 
apiVersion: v1
kind: Namespace
metadata:
...
  labels:
    kubernetes.io/metadata.name: openshift-must-gather-75wrl
    openshift.io/run-level: "0"
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
....


oc version --client -o yaml 
clientVersion:
  buildDate: "2022-07-07T20:21:06Z"
  compiler: gc
  gitCommit: f17f1aa456e00569e88a0e8206c5b360e44055dd
  gitTreeState: clean
  gitVersion: 4.11.0-202207072008.p0.gf17f1aa.assembly.stream-f17f1aa
  goVersion: go1.18.1
  major: ""
  minor: ""
  platform: linux/amd64
kustomizeVersion: v4.5.4
Comment 6 errata-xmlrpc 2022-08-10 11:20:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069