RHOCP4 projects are getting warn and audit pod security admission label as baseline profile instead of restricted
Environment
- Red Hat OpenShift Contianer Platform (RHOCP)
- 4
Issue
-
After
upgradingRHOCP cluster from version4.10to ahigherversion, Newly createdProject/Namespacesare assigned with following labels withbaselinesecurity level instead ofrestrictedlabels: pod-security.kubernetes.io/audit: baseline pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/warn: baseline pod-security.kubernetes.io/warn-version: latest
Resolution
Remove the group from the restricted SCC in order to get the correct labels.
$ oc patch scc restricted --type=json -p '[{"op":"remove", "path": "/groups/0"}]'
Check if the SCC is contains groups[].
$ oc get scc restricted -o json | jq -r '.groups'
[]
Root Cause
In case of restricted SCC, fresh installed OpenShift 4.10.X or lower versions has system:authenticated group included but later versions doesn't.
Note:Issue is observed while upgrading clusters from 4.10 to 4.11 or higher not in fresh installation.
Diagnostic Steps
-
Run the following command in different OpenShift cluster versions and observe the field GROUPS for restricted SCC
$ oc get scc restricted restricted-v2 -o custom-columns=NAME:.metadata.name,GROUPS:.groups,PRIORITY:.priority -
RHOCP 4.10 or lower versions
NAME GROUPS PRIORITY restricted [system:authenticated] <nil> -
RHOCP 4.11 or higher (Fresh installed)
NAME GROUPS PRIORITY restricted [] <nil> restricted-v2 [] <nil> -
RHOCP 4.11 or higher versions (After upgrading from 4.10 or lower)
NAME GROUPS PRIORITY restricted [system:authenticated] <nil> restricted-v2 [] <nil>
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments