Details
-
Feature Request
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
0
-
0%
Description
See the OLM Upstream Issue for details:
https://github.com/operator-framework/operator-lifecycle-manager/issues/3132
Summary: We have libraries and command-line interfaces that generate CatalogSources that can be applied directly to a cluster. oc-mirror also creates CatalogSources for the customer to apply.
When the `.spec.grpcPodConfig.securityContextConfig` is NOT SET in the CatalogSource, OLM treats the value's default as "legacy", which means that the Catalog Pod does NOT set the `restricted` securityContext, meaning that a Catalog pod will fail to run.
Therefore if OCP 4.15 changes the default behavior for new namespaces to enforce the `restricted` pod security standard, all catalog pods will fail in those namespaces.
The ask is to dynamically set the Default securityContextConfig for the CatalogSource to inherit the enforced pod security standard from the namespace instead of hard-coding it to "legacy".
Examples:
If the namespace label is
pod-security.kubernetes.io/enforce: restricted
then generate the Catalog pod as if :
.spec.grpcPodConfig.securityContextConfig=restricted
else then generate the Catalog pod as if :
.spec.grpcPodConfig.securityContextConfig=legacy
Attachments
Issue Links
- relates to
-
OCPBUGS-29729 OLM - Set default CatalogSource pod SecurityContext as `restricted`
-
- ASSIGNED
-