StarlingX

Privileged PSAC labels assigned to default namespace

Bug #1997117 reported by Jerry Sun on 2022-11-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	Low	Jerry Sun

Bug Description

Brief Description
-----------------
Applying test application to default namespace assigns privileged pod security admission control labels to the default namespace

Severity
--------
Minor: System/Feature is usable with minor issue

Steps to Reproduce
------------------
Apply a test application through sysinv to the default namespace

Expected Behavior
------------------
PSAC labels not assigned to the default namespace

Actual Behavior
----------------
privileged label for PSAC assigned to the default namespace

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Multi node system

Branch/Pull Time/Commit
-----------------------
2022-11-18

Workaround
----------
Manually remove the labels

Tags:

Jerry Sun (jerry-sun-u) on 2022-11-18

Changed in starlingx:
assignee:	nobody → Jerry Sun (jerry-sun-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-18: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/config/+/865058

Changed in starlingx:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-21: Fix merged to config (master)

Reviewed: https://review.opendev.org/c/starlingx/config/+/865058
Committed: https://opendev.org/starlingx/config/commit/d70e46de70079a89a0fccf378fb2c76f004b5cc0
Submitter: "Zuul (22348)"
Branch: master

commit d70e46de70079a89a0fccf378fb2c76f004b5cc0
Author: Jerry Sun <email address hidden>
Date: Fri Nov 18 15:47:58 2022 -0500

Add PSAC labels to only managed namespaces

    Pod Security Admission Controller (PSAC)
    labels are automatically added to namespaces that applications are
    applied in. Sysinv used to assume that all namespaces that
    applications are deployed in are managed by sysinv, and assigns
    a privileged label to it. This can result in privileged labels
    being assigned to the default namespace, for example, if an
    application is deployed there. This commit limits PSAC label
    assignment to only a list of namespaces that we know are for our
    applications.

    PASS: Bootstrap system, check that cert manager namespace has
          PSAC labels (label still exist for application deployment)
    PASS: Apply test application to default namespace, and ensure
          PSAC labels are not assigned

    Closes-Bug: 1997117
    Signed-off-by: Jerry Sun <email address hidden>
    Change-Id: I40da7d9d3b2e79d2133390ea7b270e046200b57e

Changed in starlingx:
status:	In Progress → Fix Released

Ghada Khalil (gkhalil) on 2022-11-23

Changed in starlingx:
importance:	Undecided → Low
tags:	added: stx.8.0 stx.containers stx.security

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.