Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ Enforce PSA for restricted instead of baseline #3526

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

⚠️ Enforce PSA for restricted instead of baseline #3526

wants to merge 1 commit into from

Conversation

camilamacedo86
Copy link
Contributor

@camilamacedo86 camilamacedo86 commented Feb 28, 2025
edited
Loading

For the last two years, we've defaulted to baseline enforcement. At this point, I expect everyone to use catalog binaries that can handle restricted enforcement.

Motivated by: #3524 (comment)

@camilamacedo86
Enforce PSA for restricted instead of baseline
0907b88 
For the last two years, we've defaulted to baseline enforcement. At this point, I expect everyone to use catalog binaries that can handle restricted enforcement
@camilamacedo86
Copy link
Contributor Author

Hi @ @kevinrizza @perdasilva

The follow up requested :-)

@kevinrizza
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 28, 2025
anik120
anik120 requested changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@anik120 anik120 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we confirm that we're okay with moving to restricted?

I'm concerned we'll take these changes downstream, and then hit the same issue we were facing 2 years ago and be forced to revert (and potentially back port)

@anik120
Copy link
Contributor

anik120 commented Feb 28, 2025

Looks like we might be facing an issue upstream too:

Summarizing 1 Failure:
  [FAIL] Starting CatalogSource e2e tests when The namespace is labled as Pod Security Admission policy enforce:restricted when A CatalogSource built with opm v1.21.0 (<v1.23.2)is created with spec.GrpcPodConfig.SecurityContextConfig set to legacy [It] The registry pod comes up successfully [CatalogSource]

Could be a flake too.
Again, without remembering what exactly the issue was 2 years ago it's hard to make an educated guess.

@camilamacedo86
Copy link
Contributor Author

@anik120

I updated this test: #3526 (comment) probably we need to remove or I did something wrong. But I agree we need to check this one properly.. we cannot only update. Thank you for call it out :-)

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 2, 2025
@anik120
Copy link
Contributor

anik120 commented Mar 5, 2025

@anik120

I updated this test: #3526 (comment) probably we need to remove or I did something wrong. But I agree we need to check this one properly.. we cannot only update. Thank you for call it out :-)

Right, it looks like the test is possibly actually telling us we're not ready to move to restricted yet.

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anik120 anik120 anik120 requested changes

@akihikokuroda akihikokuroda Awaiting requested review from akihikokuroda

@dtfranz dtfranz Awaiting requested review from dtfranz

Requested changes must be addressed to merge this pull request.

Assignees

@kevinrizza kevinrizza

Labels
lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@camilamacedo86 @kevinrizza @anik120 @openshift-merge-robot