-
Bug
-
Resolution: Done
-
Normal
-
1.13.0
-
5
-
False
-
None
-
False
-
-
-
-
GitOps Crimson - Sprint 3262
Description of problem:
https://github.com/redhat-developer/gitops-operator/pull/674 introduced PSA labels on openshift-gitops namespace to comply with OpenShift standards. The labels are added correctly to openshift-gitops namespace for a new install of Openshift GitOps operator v1.13.x, however, they are not applied if a upgrade is performed from lower version to v1.13.x.
Open question: Do we allow users to override these PSA labels on openshift-gitops namespace? or recommend creating a separate user defined cluster scoped Argo CD instance if it is required. [Answer] Don't allow users to override PSA labels on openshift-gitops namespace as the namespace is owned by operator. If certain use-cases require changes to PSA policy labels, for example, certain sidecar or monitoring pod added in openshift-gitops namespace requires privileged access, it is recommended to use a user defined cluster scoped Argo CD instance instead.
Prerequisites (if any, like setup, operators/versions):
Steps to Reproduce
- Install operator version < 1.13.0
- Perform operator upgrade to 1.13.0 or higher
Actual results:
No pod-security.kuberneter.io labels are present on openshift-gitops namespace
Expected results:
Check labels on openshift-gitops namespace
pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/audit-version: latest pod-security.kubernetes.io/enforce: restricted pod-security.kubernetes.io/enforce-version: v1.29 pod-security.kubernetes.io/warn: restricted pod-security.kubernetes.io/warn-version: latest
Reproducibility (Always/Intermittent/Only Once):
Always
Acceptance criteria:
Add reconciliation logic in operator to update openshift-gitops namespace labels
Definition of Done:
Build Details:
Additional info (Such as Logs, Screenshots, etc):
*
- is documented by
-
GITOPS-5786 Documentation Update - PSA: add restricted labels to openshift-gitops namespace
-
- Closed
-