Skip to content

🐛 (fix) PSA enforcement: Move from baseline to restricted #1829

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 4, 2025
Merged

🐛 (fix) PSA enforcement: Move from baseline to restricted #1829

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion config/base/common/namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@ kind: Namespace
metadata:
labels:
app.kubernetes.io/part-of: olm
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce: restricted
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@joelanford ^ JFY

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@camilamacedo86 can you identify which, if any, current e2e test might be able to verify this doesn't cause a problem? Maybe just?:

in ./kind-config.yaml Should we turn on PodSecurity?

    kubeadmConfigPatches:
      - |
        kind: ClusterConfiguration
        apiServer:
            extraArgs:
-              enable-admission-plugins: OwnerReferencesPermissionEnforcement
+              enable-admission-plugins: OwnerReferencesPermissionEnforcement,PodSecurity

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

e2e seems to pass for me with this set, so maybe it's all good?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just trying to verify it's really used if I set it there

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When we install OLMv1 the ns will be set within right
So, the tests running on that. But do you still want any extra step? if so, can you please clarify? Sorry, I could not follow what are you asking for I do in this case.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nvm, seems like at our current version enforced for Kind, we've got PodSecurity by default. Verified it bounced a non-compliant pod trying to be created in an NS set restricted. Since our current e2e do deployment, they must be okay.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, are you ok with this change as well? Right?

pod-security.kubernetes.io/enforce-version: "v1.32"
name: system
Loading