This is a clone of issue OCPBUGS-4758. The following is the description of the original issue:
—
Description of problem:
See: https://issues.redhat.com/browse/CPSYN-143 tldr: Based on the previous direction that 4.12 was going to enforce PSA restricted by default, OLM had to make a few changes because the way we run catalog pods (and we have to run them that way because of how the opm binary worked) was incompatible w/ running restricted. 1) We set openshift-marketplace to enforce restricted (this was our choice, we didn't have to do it, but we did) 2) we updated the opm binary so catalog images using a newer opm binary don't have to run privileged 3) we added a field to catalogsource that allows you to choose whether to run the pod privileged(legacy mode) or restricted. The default is restricted. We made that the default so that users running their own catalogs in their own NSes (which would be default PSA enforcing) would be able to be successful w/o needing their NS upgraded to privileged. Unfortunately this means: 1) legacy catalog images(i.e. using older opm binaries) won't run on 4.12 by default (the catalogsource needs to be modified to specify legacy mode. 2) legacy catalog images cannot be run in the openshift-marketplace NS since that NS does not allow privileged pods. This means legacy catalogs can't contribute to the global catalog (since catalogs must be in that NS to be in the global catalog). Before 4.12 ships we need to: 1) remove the PSA restricted label on the openshift-marketplace NS 2) change the catalogsource securitycontextconfig mode default to use "legacy" as the default, not restricted. This gives catalog authors another release to update to using a newer opm binary that can run restricted, or get their NSes explicitly labeled as privileged (4.12 will not enforce restricted, so in 4.12 using the legacy mode will continue to work) In 4.13 we will need to revisit what we want the default to be, since at that point catalogs will start breaking if they try to run in legacy mode in most NSes.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. 2. 3.
Actual results:
Expected results:
Additional info:
- clones
-
OCPBUGS-4758 Revert Catalog PSA decisions for 4.13 (Marketplace)
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
[OCPBUGS-4763] Revert Catalog PSA decisions for 4.13 (Marketplace)
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory, and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2022:7399
1, Create the cluster with the fixed PR via cluster-bot. MacBook-Pro:~ jianzhang$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.12.0-0.ci.test-2022-12-13-025809-ci-ln-6yigrhk-latest True False 7m52s Cluster version is 4.12.0-0.ci.test-2022-12-13-025809-ci-ln-6yigrhk-latest 2, Check the openshift-marketplace project lables, the `pod-security.kubernetes.io/enforce` is `baseline`. LGTM. Verify it. MacBook-Pro:~ jianzhang$ oc get ns openshift-marketplace -o yaml apiVersion: v1 kind: Namespace metadata: annotations: capability.openshift.io/name: marketplace include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" openshift.io/node-selector: "" openshift.io/sa.scc.mcs: s0:c14,c4 openshift.io/sa.scc.supplemental-groups: 1000190000/10000 openshift.io/sa.scc.uid-range: 1000190000/10000 workload.openshift.io/allowed: management creationTimestamp: "2022-12-13T03:08:53Z" labels: kubernetes.io/metadata.name: openshift-marketplace olm.operatorgroup.uid/7fcba959-a5fb-435e-9d8d-e9acaa3350d9: "" openshift.io/cluster-monitoring: "true" pod-security.kubernetes.io/audit: restricted pod-security.kubernetes.io/enforce: baseline pod-security.kubernetes.io/enforce-version: v1.25 pod-security.kubernetes.io/warn: restricted name: openshift-marketplace ownerReferences: - apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: dfcfe843-2e66-4b14-9ee7-b2ef4a3a9f6d resourceVersion: "7957" uid: affc91d7-4eae-4792-870b-e57c96b999c8 spec: finalizers: - kubernetes status: phase: Active
Per the announcement sent regarding the removal of "Blocker" as an option in the Priority field, this issue (which was already closed at the time of the bulk update) had Priority = "Blocker." It is being updated to Priority = Critical. No additional fields were changed.