Uploaded image for project: 'Operator Runtime'
  1. Operator Runtime
  2. OPRUN-2695

[downstream] OLM controller plug-in for openshift-* namespace labelling


    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • [OLM-223] FBC (Oogway), [OLM-224] FBC/PSA - Pikachu
    • 0

      As an admin, I would like openshift-* namespaces with an operator to be labeled with security.openshift.io/scc.podSecurityLabelSync=true to ensure the continual functioning of operators without manual intervention. The label should only be applied to openshift-* namespaces with an operator (the presence of a ClusterServiceVersion resource) IF the label is not already present. This automation will help smooth functioning of the cluster and avoid frivolous operational events.

      Context: As part of the PSA migration period, Openshift will ship with the "label sync'er" - a controller that will automatically adjust PSA security profiles in response to the workloads present in the namespace. We can assume that not all operators (produced by Red Hat, the community or ISVs) will have successfully migrated their deployments in response to upstream PSA changes. The label sync'er will sync, by default, any namespace not prefixed with "openshift-", of which an explicit label (security.openshift.io/scc.podSecurityLabelSync=true) is required for sync.

       - OLM operator has been modified (downstream only) to label any unlabelled "openshift-" namespace in which a CSV has been created
       - If a labeled namespace containing at least one non-copied csv becomes unlabelled, it should be relabelled 
       - The implementation should be done in a way to eliminate or minimize subsequent downstream sync work (it is ok to make slight architectural changes to the OLM operator in the upstream to enable this)

            pegoncal@redhat.com Per Goncalves da Silva
            pegoncal@redhat.com Per Goncalves da Silva
            Jian Zhang Jian Zhang
            0 Vote for this issue
            12 Start watching this issue