See the OLM Upstream Issue for details:

https://github.com/operator-framework/operator-lifecycle-manager/issues/3132

Summary:  We have libraries and command-line interfaces that generate CatalogSources that can be applied directly to a cluster.   oc-mirror also creates CatalogSources for the customer to apply.

When the `.spec.grpcPodConfig.securityContextConfig` is NOT SET in the CatalogSource,  OLM treats the value's default as "legacy", which means that the Catalog Pod does NOT set the `restricted` securityContext, meaning that a Catalog pod will fail to run.

Therefore if OCP 4.15 changes the default behavior for new namespaces to enforce the `restricted` pod security standard, all catalog pods will fail in those namespaces.

The ask is to dynamically set the Default securityContextConfig for the CatalogSource to inherit the enforced pod security standard from the namespace instead of hard-coding it to "legacy".

Examples:

If the namespace label is
pod-security.kubernetes.io/enforce: restricted
then generate the Catalog pod as if :

.spec.grpcPodConfig.securityContextConfig=restricted

else then generate the Catalog pod as if :

.spec.grpcPodConfig.securityContextConfig=legacy