Bug 2228876 - RFE: Improve logic to determine when the controller can run privileged pods
Summary: RFE: Improve logic to determine when the controller can run privileged pods
Keywords:
Status: NEW
Alias: None
Product: Migration Toolkit for Containers
Classification: Red Hat
Component: Controller
Version: 1.7.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: John Matthews
QA Contact: ssingla
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-03 13:57 UTC by Pranav Gaikwad
Modified: 2023-08-03 13:58 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Pranav Gaikwad 2023-08-03 13:57:55 UTC 
Description of problem:
Right now, the controller only looks at the PSA labels on the source / target namespaces to make the decision of whether a privileged pod can run in the ns or not. However, in some cases, the global admission controller config can already allow running a privileged Pod even when the labels are not present on the ns. The logic should be updated to consider this case.

Version-Release number of selected component (if applicable):
1.7.8

How reproducible:
Always

Steps to Reproduce:
1. Set privileged policy as enforced at cluster level
2. Enable privileged pod setting in MigrationController
3. Do not put PSA labels on the namespace and run a migration, 

Actual results:
the migration fails at the time of running Rsync because absence of labels causes the controller to run the Pod as underprivileged. 

Expected results:
the migration should succeed as the cluster already allows running privileged pods at cluster level. 

Additional info:
Note You need to log in before you can comment on or make changes to this bug.