Details
-
Task
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
1
-
False
-
None
-
False
-
Bulbasaur
-
0
Description
For reasons I still struggle to understand, in trying to mitigate issues stemming from the PSA changes to k8s, we decided on a convoluted architecture where one reconciler by one team (cluster-policy-controller) ignores openshift-* namespaces unless they have a specific label and are not part of the payload, while a reconciler on our team labels non-payload openshift-* namespaces appropriately so that the first one will do its security magic and keep workloads stable during this transition. This cockamamie scheme lead to a dependency between olm and cpc s.t. we can share the list of payload openshift-* namespaces.
This also means that we need to update the dependency at each release to keep parity with the OCP version of the dependency and olm.
We need to update the cpc dependency as the pipeline is blocked until we do (to letting an old version of the dependency, perhaps with a different list of payload openshift-* namespaces and breaking customer cluster or impacting their experience).
Note: this is currently blocking ART compliance PRs. We need to get this in ASAP.