Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Major
Fix Version/s: 4.18.z
Affects Version/s: 4.18.z
Component/s: OLM
Labels:
- olmv1
- triaged

Severity:
Moderate
Regression:
None
Sprint:
Glaceon OLM Sprint 267
sprint_count:
1
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
Before this update, the Kubernetes version in the pod security annotation was set to the value of latest. As result, a pod might apply pod security rules defined by a future Kubernetes version. With this update, the enforce-version pod security annotation is set to v1.31 to match the version of Kubernetes API version used in OLMv1.

Show
Before this update, the Kubernetes version in the pod security annotation was set to the value of latest. As result, a pod might apply pod security rules defined by a future Kubernetes version. With this update, the enforce-version pod security annotation is set to v1.31 to match the version of Kubernetes API version used in OLMv1.
Release Note Status:
Proposed
Documentation Type:

Release Notes
Target Version:

4.18.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Summary: OLMv1 should avoid setting Pod Security Admission (PSA) labels to latest. Instead, it should pin the PSA version to match the Kubernetes API version specified in the go.mod file.

Issue Description: Using latest for PSA labels introduces unpredictability:

latest references the most recent Kubernetes version, which may include changes to PSA rules.
A Pod compliant with OCP 4.18 / Kubernetes 1.31 might fail in future versions (e.g., Kubernetes 1.40) due to altered PSA rules.
Without version pinning, behavior becomes unpredictable, compromising long-term stability.

Proposed Solution: OLMv1 should:

Avoid setting PSA labels to latest.
Pin PSA labels to the Kubernetes API version specified in the go.mod file.

More info: https://redhat-internal.slack.com/archives/C06KP34REFJ/p1739880491760029

clones

OCPBUGS-52234 [release-4.18] - [operator-controller] OLMv1 is using PSA Labels version as latest instead of version pinned

Closed

depends on

OCPBUGS-52230 OLMv1 is using PSA Labels version as latest instead of version pinned

Closed

links to

https://github.com/openshift/operator-framework-catalogd/pull/134

https://github.com/openshift/operator-framework-catalogd/pull/135

openshift/operator-framework-operator-controller#284: OCPBUGS-52234: [release-4.18] UPDATE PSA labels for OCP manifests with k8s version

Assignee:: Camila Macedo

Reporter:: Camila Macedo

QA Contact:: Jian Zhang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/03/04 5:28 PM

Updated:: 2025/03/06 2:37 AM

Resolved:: 2025/03/06 2:36 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates