Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-5221

Pod Security Admission labels not applied on openshift-gitops namespace on upgrade

XMLWordPrintable

    • 5
    • False
    • None
    • False
    • Hide
      With this update, restrictive Pod Security Admission (PSA) labels are now applied to the operator-owned `openshift-gitops` namespace to ensure compliance with Openshift standards. If you are running any additional workloads in this namespace, please ensure they comply with restrictive PSA requirements. If compliance is not feasible, consider using a user-defined, cluster-scoped ArgoCD instance, where PSA labels are not applied or controlled by the operator.
      Show
      With this update, restrictive Pod Security Admission (PSA) labels are now applied to the operator-owned `openshift-gitops` namespace to ensure compliance with Openshift standards. If you are running any additional workloads in this namespace, please ensure they comply with restrictive PSA requirements. If compliance is not feasible, consider using a user-defined, cluster-scoped ArgoCD instance, where PSA labels are not applied or controlled by the operator.
    • GitOps Crimson - Sprint 3262

      Description of problem:

      https://github.com/redhat-developer/gitops-operator/pull/674 introduced PSA labels on openshift-gitops namespace  to comply with OpenShift standards. The labels are added correctly to openshift-gitops namespace for a new install of Openshift GitOps operator v1.13.x, however, they are not applied if a upgrade is performed from lower version to v1.13.x.

       

      Open question: Do we allow users to override these PSA labels on openshift-gitops namespace? or recommend creating a separate  user defined cluster scoped Argo CD instance if it is required.  [Answer] Don't allow users to override PSA labels on openshift-gitops namespace  as the namespace is owned by operator. If certain use-cases require changes to PSA policy labels, for example, certain sidecar or monitoring pod added in openshift-gitops namespace requires privileged access, it is recommended to use a user defined cluster scoped Argo CD instance instead.

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

      1. Install operator version < 1.13.0
      2. Perform operator upgrade to 1.13.0 or higher

      Actual results:

      No pod-security.kuberneter.io labels are present on openshift-gitops namespace

      Expected results:

      Check labels on openshift-gitops namespace

      pod-security.kubernetes.io/audit: restricted     
      pod-security.kubernetes.io/audit-version: latest     
      pod-security.kubernetes.io/enforce: restricted     
      pod-security.kubernetes.io/enforce-version: v1.29     
      pod-security.kubernetes.io/warn: restricted     
      pod-security.kubernetes.io/warn-version: latest 

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Acceptance criteria: 

      Add reconciliation logic in operator to update openshift-gitops namespace labels 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

              saumeyakatyal Saumeya Katyal (Inactive)
              rh-ee-sghadi Siddhesh Ghadi
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: