[OCPBUGS-53108] The openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively - Red Hat Issue Tracker

Type: Bug
Resolution: Done-Errata
Priority: Major
Fix Version/s: None
Affects Version/s: 4.17.z, 4.16.z, 4.18.z, 4.19.0
Component/s: OLM
Labels:

Severity:
Moderate
Regression:
None
Sprint:
Horsea OLM Sprint 268
sprint_count:
1
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, the Operator Marketplace and the {olm-first} used an older version, v1.24, of the `pod-security.kubernetes.io/` label. With this release, the namespace where Operator Marketplace is deployed now uses the Pod Security Admission (PSA) label marked as `latest`. (link:https://issues.redhat.com/browse/OCPBUGS-53149[*~~OCPBUGS-53149~~*]) (link:https://issues.redhat.com/browse/OCPBUGS-53108[*~~OCPBUGS-53149~~*])

Show
* Previously, the Operator Marketplace and the {olm-first} used an older version, v1.24, of the `pod-security.kubernetes.io/` label. With this release, the namespace where Operator Marketplace is deployed now uses the Pod Security Admission (PSA) label marked as `latest`. (link: https://issues.redhat.com/browse/OCPBUGS-53149 [* OCPBUGS-53149 *]) (link: https://issues.redhat.com/browse/OCPBUGS-53108 [* OCPBUGS-53149 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.18.z
Target Backport Versions:

4.16.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue OCPBUGS-42526. The following is the description of the original issue:
—
Description of problem:

Starting ~~OCPBUGS-41849~~ , "pod-security.kubernetes.io/*-version" is set to "latest". But the openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively. Therefore creating this Jira tracker.

Version-Release number of selected component (if applicable):

4.16.0-0.nightly-2024-09-26-011209
4.17.0-rc.6
4.18.0-0.nightly-2024-09-26-222528

How reproducible:

Always

Steps to Reproduce:

Check `oc get ns -o yaml` in 4.16 / 4.17 / 4.18 envs.

Actual results:

All envs show the openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively:
- apiVersion: v1
  kind: Namespace
  metadata:
    ...
    labels:
      ...
      pod-security.kubernetes.io/audit: baseline
      pod-security.kubernetes.io/audit-version: v1.25
      pod-security.kubernetes.io/enforce: baseline
      pod-security.kubernetes.io/enforce-version: v1.25
      pod-security.kubernetes.io/warn: baseline
      pod-security.kubernetes.io/warn-version: v1.25
    name: openshift-marketplace
...
- apiVersion: v1
  kind: Namespace
  metadata:
    ...
    labels:
      ...
      pod-security.kubernetes.io/enforce: restricted
      pod-security.kubernetes.io/enforce-version: v1.24
    name: openshift-operator-lifecycle-manager
...
- apiVersion: v1
  kind: Namespace
  metadata:
    ...
    labels:
      kubernetes.io/metadata.name: openshift-operators
      openshift.io/scc: ""
      pod-security.kubernetes.io/enforce: privileged
      pod-security.kubernetes.io/enforce-version: v1.24
    name: openshift-operators
...

Expected results:

Like ~~OCPBUGS-41849~~ sets "pod-security.kubernetes.io/*-version" to "latest" starting 4.17, the openshift-operator-lifecycle-manager and openshift-marketplace namespaces should not still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively.

For the openshift-operators namespace, let's mention it too here, it still uses v1.24. In despite of https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/2579-psp-replacement/README.md#versioning saying "The privileged profile always means fully unconstrained and is effectively unversioned (specifying a version is allowed but ignored)", it is better to not specify v1.24.

Additional info:

blocks

OCPBUGS-53283 The openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively

Closed

clones

OCPBUGS-42526 The openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively

Verified

is blocked by

OCPBUGS-42526 The openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively

Verified

is cloned by

OCPBUGS-53283 The openshift-operator-lifecycle-manager and openshift-marketplace namespaces still use old pod-security.kubernetes.io/*-version v1.24 and v1.25 respectively

Closed

links to

openshift/operator-framework-olm#983: [release-4.18] OCPBUGS-53108: Ensure that PSA label is latest instead of pinning versions

RHBA-2025:3066 OpenShift Container Platform 4.18.z bug fix update

(1 links to)

Assignee:: Camila Macedo

Reporter:: OpenShift Prow Bot

QA Contact:: Jian Zhang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/03/14 12:35 AM

Updated:: 2025/03/25 8:51 AM

Resolved:: 2025/03/25 6:59 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide