Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5122

Update OLM to set default CatalogSource pod SecurityContext based on Namespace PSA Labels

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None
    • False
    • None
    • False
    • Not Selected

      See the OLM Upstream Issue for details:

      https://github.com/operator-framework/operator-lifecycle-manager/issues/3132

       

      Summary:  We have libraries and command-line interfaces that generate CatalogSources that can be applied directly to a cluster.   oc-mirror also creates CatalogSources for the customer to apply.

      When the `.spec.grpcPodConfig.securityContextConfig` is NOT SET in the CatalogSource,  OLM treats the value's default as "legacy", which means that the Catalog Pod does NOT set the `restricted` securityContext, meaning that a Catalog pod will fail to run.

      Therefore if OCP 4.15 changes the default behavior for new namespaces to enforce the `restricted` pod security standard, all catalog pods will fail in those namespaces.

      The ask is to dynamically set the Default securityContextConfig for the CatalogSource to inherit the enforced pod security standard from the namespace instead of hard-coding it to "legacy".

       

      Examples:

      If the namespace label is
      pod-security.kubernetes.io/enforce: restricted
      then generate the Catalog pod as if :

      .spec.grpcPodConfig.securityContextConfig=restricted

      else then generate the Catalog pod as if :

      .spec.grpcPodConfig.securityContextConfig=legacy

            rhn-coreos-tunwu Tony Wu
            cdjohnson-cpeng Chris Johnson (Inactive)
            Daniel Messer
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: