Epic Goal

• Facilitate the transition to for OLM and content to PSA enforcing the `restricted` security profile
• Use the label synch'er to enforce the required security profile
• Current content should work out-of-the-box as is
• Upgrades should not be blocked

Why is this important?

• PSA helps secure the cluster by enforcing certain security restrictions that the pod must meet to be scheduled
• 4.12 will enforce the `restricted` profile, which will affect the deployment of operators in `openshift-*` namespaces 

Scenarios

1. Admin installs operator in an `openshift-*`namespace that is not managed by the label syncher -> label should be applied
2. Admin installs operator in an `openshift-*` namespace that has a label asking the label syncher to not reconcile it -> nothing changes

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• Done only downstream
• Transition documentation written and reviewed

Dependencies (internal and external)

1. label syncher (still searching for the link)

Open questions::

1. Is this only for openshift-* namespaces?

Resources

• notes on label syncer and what's needed for OLM
• PSA Communication - explains all required changes to adapt workloads to PSA under OCP 4.12 (inc. SCC)

Stakeholders

• Daniel S...?

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>