🐛 (fix) PSA enforcement: Move from baseline to restricted

[camilamacedo86]

Namespaces should be restricted by default instead of have granted additional not required permissions

Description

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	f86d3f4
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/67c71c21764407000891283b
😎 Deploy Preview	https://deploy-preview-1829--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[camilamacedo86]

@joelanford ^ JFY

[bentito]

@camilamacedo86 can you identify which, if any, current e2e test might be able to verify this doesn't cause a problem? Maybe just?:

in ./kind-config.yaml Should we turn on PodSecurity?

    kubeadmConfigPatches:
      - |
        kind: ClusterConfiguration
        apiServer:
            extraArgs:
-              enable-admission-plugins: OwnerReferencesPermissionEnforcement
+              enable-admission-plugins: OwnerReferencesPermissionEnforcement,PodSecurity

[bentito]

e2e seems to pass for me with this set, so maybe it's all good?

[bentito]

just trying to verify it's really used if I set it there

[camilamacedo86]

When we install OLMv1 the ns will be set within right
So, the tests running on that. But do you still want any extra step? if so, can you please clarify? Sorry, I could not follow what are you asking for I do in this case.

[bentito]

nvm, seems like at our current version enforced for Kind, we've got PodSecurity by default. Verified it bounced a non-compliant pod trying to be created in an NS set restricted. Since our current e2e do deployment, they must be okay.

[camilamacedo86]

So, are you ok with this change as well? Right?

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.42%. Comparing base (c899dc1) to head (f86d3f4).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1829      +/-   ##
==========================================
- Coverage   68.44%   68.42%   -0.02%     
==========================================
  Files          63       63              
  Lines        5134     5134              
==========================================
- Hits         3514     3513       -1     
- Misses       1390     1391       +1     
  Partials      230      230              

Flag	Coverage Δ
e2e	51.57% <ø> (ø)
unit	56.01% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[camilamacedo86]

I need to rebase this one,
Could we get the approval again :-) ?
@perdasilva