Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remove default value of catsrc.spec.grpcPodConfig.securityContextConfig #342

Merged
merged 1 commit into from
Jun 13, 2024
Merged

remove default value of catsrc.spec.grpcPodConfig.securityContextConfig #342

merged 1 commit into from
Jun 13, 2024

Conversation

joelanford
Copy link
Member

In operator-framework/operator-lifecycle-manager#3206, we updated OLM to support an implicit default of a catalog pod's securityContextConfig, based on the PSA configuration of the namespace it is created in.

However, we overlooked the fact that the CatalogSource CRD specifies legacy as a default value. The result of this is that any catalog source with a non-nil spec.grpcPodConfig that attempts to leave spec.grpcPodConfig.securityContextConfig unset will be defaulted to legacy during admission.

This PR fixes that by removing the default value in the CRD spec.

@joelanford
remove default value of catsrc.spec.grpcPodConfig.securityContextConfig
8307fce 
Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
@openshift-ci openshift-ci bot requested review from awgreene and benluddy June 13, 2024 14:03
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 13, 2024
@codecov Codecov
Copy link

codecov bot commented Jun 13, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 39.43%. Comparing base (e684a59) to head (8307fce).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #342   +/-   ##
=======================================
  Coverage   39.43%   39.43%           
=======================================
  Files          56       56           
  Lines        4516     4516           
=======================================
  Hits         1781     1781           
  Misses       2581     2581           
  Partials      154      154

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@grokspawn
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jun 13, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 13, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: acornett21, grokspawn, joelanford

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [grokspawn,joelanford]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 5d2d3fb into operator-framework:master Jun 13, 2024
7 checks passed
@joelanford joelanford deleted the fix-rm-catsrc-security-context-config-default branch June 13, 2024 14:32
jianzhangbjz
jianzhangbjz reviewed Jun 14, 2024
View reviewed changes
crds/operators.coreos.com_catalogsources.yaml


More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
type: string
default: legacy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, one more question, why not set the default value to restricted? Thanks!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new default is "it depends on what the namespace PSA enforcement is", not "restricted, period"

If we changed this to default to restricted in the API, it would be impossible to have an implicit default based on some other condition of the cluster.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jianzhangbjz jianzhangbjz jianzhangbjz left review comments

@acornett21 acornett21 acornett21 approved these changes

@grokspawn grokspawn grokspawn approved these changes

@awgreene awgreene Awaiting requested review from awgreene

@benluddy benluddy Awaiting requested review from benluddy

Assignees

@grokspawn grokspawn

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joelanford @grokspawn @jianzhangbjz @acornett21