Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5122

Update OLM to set default CatalogSource pod SecurityContext based on Namespace PSA Labels

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None
    • False
    • None
    • False
    • Not Selected

      See the OLM Upstream Issue for details:

      https://github.com/operator-framework/operator-lifecycle-manager/issues/3132

       

      Summary:  We have libraries and command-line interfaces that generate CatalogSources that can be applied directly to a cluster.   oc-mirror also creates CatalogSources for the customer to apply.

      When the `.spec.grpcPodConfig.securityContextConfig` is NOT SET in the CatalogSource,  OLM treats the value's default as "legacy", which means that the Catalog Pod does NOT set the `restricted` securityContext, meaning that a Catalog pod will fail to run.

      Therefore if OCP 4.15 changes the default behavior for new namespaces to enforce the `restricted` pod security standard, all catalog pods will fail in those namespaces.

      The ask is to dynamically set the Default securityContextConfig for the CatalogSource to inherit the enforced pod security standard from the namespace instead of hard-coding it to "legacy".

       

      Examples:

      If the namespace label is
      pod-security.kubernetes.io/enforce: restricted
      then generate the Catalog pod as if :

      .spec.grpcPodConfig.securityContextConfig=restricted

      else then generate the Catalog pod as if :

      .spec.grpcPodConfig.securityContextConfig=legacy

              rhn-coreos-tunwu Tony Wu
              cdjohnson-cpeng Chris Johnson (Inactive)
              Daniel Messer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: