Closed fketelaars closed 8 months ago
With the latest ROKS deployment the labels no longer cause CP4D installs to fail:
oc describe ns ibm-cert-manager
Name: ibm-cert-manager
Labels: kubernetes.io/metadata.name=ibm-cert-manager
pod-security.kubernetes.io/audit=restricted
pod-security.kubernetes.io/audit-version=v1.24
pod-security.kubernetes.io/enforce=privileged
pod-security.kubernetes.io/warn=restricted
pod-security.kubernetes.io/warn-version=v1.24
Annotations: openshift.io/sa.scc.mcs: s0:c26,c5
openshift.io/sa.scc.supplemental-groups: 1000660000/10000
openshift.io/sa.scc.uid-range: 1000660000/10000
Status: Active
No resource quota.
No LimitRange resource.
Describe the bug When installing CP4D on ROKS 4.14, no pods appear in
ibm-cert-manager
. This seems to be related to a pod security settings that is different on ROKS than on other infrastructure.On AWS
On ROKS:
Workaround Remove the
enforced
pod security from the namespaces created by CP4D:There are two steps, documented here: https://docs.openshift.com/container-platform/4.11/authentication/understanding-and-managing-pod-security-admission.html#security-context-constraints-psa-opting_understanding-and-managing-pod-security-admission
Disable synchronization:
Remove enforce labels:
Solution