I can't set PSA label on namespace

Question

I can't set PSA label on namespace

JayJay-K opened this issue a year ago · 11 comments

I don't know whether I can open issue with this ..

I create one namespace 'psans' with "kuberctl create ns psans".
Then, I can see follow labes
[root@bastion /]# kubectl describe ns psans | grep secu
pod-security.kubernetes.io/audit=baseline
pod-security.kubernetes.io/audit-version=v1.24
pod-security.kubernetes.io/warn=baseline
pod-security.kubernetes.io/warn-version=v1.24

And I can add and remove enforce:
[root@bastion /]# kubectl label ns psans pod-security.kubernetes.io/enforce=baseline
namespace/psans labeled
[root@bastion /]# kubectl describe ns psans | grep secu
pod-security.kubernetes.io/audit=baseline
pod-security.kubernetes.io/audit-version=v1.24
pod-security.kubernetes.io/enforce=baseline
pod-security.kubernetes.io/warn=baseline
pod-security.kubernetes.io/warn-version=v1.24
[root@bastion /]# kubectl label ns psans pod-security.kubernetes.io/enforce-
namespace/psans unlabeled
[root@bastion /]# kubectl describe ns psans | grep secu
pod-security.kubernetes.io/audit=baseline
pod-security.kubernetes.io/audit-version=v1.24
pod-security.kubernetes.io/warn=baseline
pod-security.kubernetes.io/warn-version=v1.24

But I can't remove audit or warn:
[root@bastion /]# kubectl label ns psans pod-security.kubernetes.io/audit-version-
namespace/psans unlabeled
[root@bastion /]# kubectl describe ns psans | grep secu
pod-security.kubernetes.io/audit=baseline
pod-security.kubernetes.io/audit-version=v1.24
pod-security.kubernetes.io/warn=baseline
pod-security.kubernetes.io/warn-version=v1.24
[root@bastion /]# kubectl label ns psans pod-security.kubernetes.io/audit-
namespace/psans unlabeled
[root@bastion /]# kubectl describe ns psans | grep secu
pod-security.kubernetes.io/audit=baseline
pod-security.kubernetes.io/audit-version=v1.24
pod-security.kubernetes.io/warn=baseline
pod-security.kubernetes.io/warn-version=v1.24

Is it a policy? Otherwise, do I have to use other proper commands?

Answer 1 · 2023-07-04T19:36:27.000Z

does the cluster have an admission webhook that is automatically adding audit/warn labels?

Answer 2 · 2024-01-23T20:54:06.000Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Answer 3 · 2024-02-01T02:17:30.000Z

/remove-lifecycle stale

Answer 4 · 2024-05-01T02:30:44.000Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Answer 5 · 2024-05-31T02:43:12.000Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle rotten
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

Answer 6 · 2024-05-31T05:09:21.000Z

/remove-lifecycle rotten

Answer 7 · 2024-05-31T05:09:43.000Z

/triage needs-information

Answer 8 · 2024-08-29T05:56:37.000Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Answer 9 · 2024-08-29T07:14:49.000Z

/remove-lifecycle stale

Answer 10 · 2024-08-29T07:16:07.000Z

One of reason could be installation of admission webhook and pod security enabled.
https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces

Answer 11 · 2024-08-29T07:16:21.000Z

@JayJay-K Please confirm