Uploaded image for project: 'Red Hat OpenShift Control Planes'
  1. Red Hat OpenShift Control Planes
  2. CNTRLPLANE-1432

Dynamically set PSA policy in KAS config based on OpenShiftPodSecurityAdmission

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • HyperShift
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • None

      Right now, we hardcode the KAS PSA config in the CPO.

      This is a constant source of skew vs standalone and PSA tends to get pulled from the release at the last minute, after branch cut, leading to a hypershift fire drill in CI.

      https://github.com/openshift/hypershift/blob/f28ea8ae23bea196209bd15923384da669011e81/control-plane-operator/controllers/hostedcontrolplane/v2/kas/config.go#L112-L134

      We should set the PSA config based on the the OpenShiftPodSecurityAdmission feature gate, that way when it gets disabled in o/api, hypershift doesn't get caught out.

      We should also make our e2e conditional on the feature gate

      https://github.com/openshift/hypershift/blob/f28ea8ae23bea196209bd15923384da669011e81/test/e2e/util/util.go#L982

              jparrill@redhat.com Juan Manuel Parrilla Madrid
              sjenning Seth Jennings
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: