Summary: OLMv1 should avoid setting Pod Security Admission (PSA) labels to latest. Instead, it should pin the PSA version to match the Kubernetes API version specified in the go.mod file.
Issue Description: Using latest for PSA labels introduces unpredictability:
- latest references the most recent Kubernetes version, which may include changes to PSA rules.
- A Pod compliant with OCP 4.18 / Kubernetes 1.31 might fail in future versions (e.g., Kubernetes 1.40) due to altered PSA rules.
- Without version pinning, behavior becomes unpredictable, compromising long-term stability.
Proposed Solution: OLMv1 should:
- Avoid setting PSA labels to latest.
- Pin PSA labels to the Kubernetes API version specified in the go.mod file.
More info: https://redhat-internal.slack.com/archives/C06KP34REFJ/p1739880491760029
- is cloned by
-
OCPBUGS-52234 [release-4.18] - [operator-controller] OLMv1 is using PSA Labels version as latest instead of version pinned
-
- Closed
-
- is depended on by
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- is related to
-
-
- POST
-
