Details
-
Task
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
1
-
False
-
None
-
False
-
Doomsday
-
0
Description
The PSA changes introduced in 4.12 meant that we had to figure out a way to ensure that customer workloads (3rd-party or otherwise) wouldn't grind to a halt as pods cannot be scheduled due to PSA. The solution found was to have another controller that could introspect a namespace to determine the best pod security standard to apply to the namespace. This controller ignores payload namespaces (usually named openshift-), but will reconcile non-payload openshift- namespaces with a special label applied to it. On the OLM side, we had to create a controller that would apply the psa label sync'er label to non-payload openshift-* namespaces with operators (CSVs) installed in them.
OLM took a dependency on the cluster-policy-controller in order to get the list of payload namespaces. This dependency introduced a few challenges for our CI:
- we need to ensure parity between the CPC and OLM OpenShift releases: since the list of payload namespaces could vary between OpenShift releases.
- because the CPC is also a controller, it depends on many of the same libraries as OLM. This can cause vendoring problems, or force OLM to be in lockstep with CPC w.r.t. the common controller libraries
To avoid these issues, and seen as the list probably won't update very frequently, we'll make our own copy of the list and maintain it on this side, as this will be less busy work than the alternative.