+++ This bug was initially created as a clone of Bug #2103126 +++ Description of problem: All of the following labels should be present in the must-gather namespace pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged Version-Release number of selected component (if applicable): 4.11 How reproducible: Everytime Steps to Reproduce: 1.$ oc adm must-gather [must-gather ] OUT Using must-gather plug-in image: quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:82aa287dc11d558b9af6b261fe21b753c450649a8e8e3a7e0ef3e1440d8ec3c0 ... Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (containers "gather", "copy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (containers "gather", "copy" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or containers "gather", "copy" must set securityContext.runAsNonRoot=true), seccompProfile (pod or containers "gather", "copy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") ... 2.$ oc get ns -o yaml openshift-must-gather-xntmj ... apiVersion: v1 kind: Namespace metadata: ... creationTimestamp: "2022-06-24T13:32:30Z" generateName: openshift-must-gather- labels: kubernetes.io/metadata.name: openshift-must-gather-xntmj openshift.io/run-level: "0" pod-security.kubernetes.io/enforce: privileged name: openshift-must-gather-xntmj ... Actual results: Currently only the following label is seen … pod-security.kubernetes.io/enforce: privileged … This throws a warning which confuses users as the “pod-security.kubernetes.io/warn: privileged” label is not present It also does not have “pod-security.kubernetes.io/audit: privileged” label which causes it to not match the expression at https://github.com/openshift/cluster-kube-apiserver-operator/blob/ff87de97de70b6d373a10cccc084497e44ec9bf3/bindata/assets/alerts/podsecurity-violations.yaml#L21, hence can lead to incorrect metrics Expected results: Labels should be … pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged … Additional info:
checked with latest oc , can't reproduce the issue now: [root@localhost ~]# oc get namespace/openshift-must-gather-75wrl -o yaml apiVersion: v1 kind: Namespace metadata: ... labels: kubernetes.io/metadata.name: openshift-must-gather-75wrl openshift.io/run-level: "0" pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged .... oc version --client -o yaml clientVersion: buildDate: "2022-07-07T20:21:06Z" compiler: gc gitCommit: f17f1aa456e00569e88a0e8206c5b360e44055dd gitTreeState: clean gitVersion: 4.11.0-202207072008.p0.gf17f1aa.assembly.stream-f17f1aa goVersion: go1.18.1 major: "" minor: "" platform: linux/amd64 kustomizeVersion: v4.5.4
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069