Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-52235

[release-4.18] - [catalogd] OLMv1 is using PSA Labels version as latest instead of version pinned

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Major Major
    • 4.18.z
    • 4.18.z, 4.19.0
    • OLM
    • Moderate
    • None
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • The annotation pod-security.kubernetes.io/enforce-version now defaults to v1.31 instead of latest
    • Proposed
    • Release Notes

      Summary: OLMv1 should avoid setting Pod Security Admission (PSA) labels to latest. Instead, it should pin the PSA version to match the Kubernetes API version specified in the go.mod file.​

      Issue Description: Using latest for PSA labels introduces unpredictability:​ Example:

      • latest references the most recent Kubernetes version, which may include changes to PSA rules.​
      • A Pod compliant with OCP 4.18 / Kubernetes 1.31 might fail in future versions (e.g., Kubernetes 1.40) due to altered PSA rules.​
      • Without version pinning, behavior becomes unpredictable, compromising long-term stability.​

      Proposed Solution: OLMv1 should:​

      • Avoid setting PSA labels to latest.​
      • Pin PSA labels to the Kubernetes API version specified in the go.mod file.​

      More info: https://redhat-internal.slack.com/archives/C06KP34REFJ/p1739880491760029

              rh-ee-cmacedo Camila Macedo
              rh-ee-cmacedo Camila Macedo
              Jian Zhang Jian Zhang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: