Skip to content

Commit be84d80

Browse files
anik120anik120
committed
(psa) restrict olm namespace + remove labels from openshift-operators ns
This PR: 1. Adds the enforce:restricted Pod Security Admission labels to the openshift-operator-lifecycle-manager namespace 2. Adds the enforce:privileged PSA labels to the openshift-operator namespace, that will be removed in a future commit, when another entity is present to modify the namespace to set the security of the namespace according to the workloads present in the namespace.
1 parent fd42910 commit be84d80

File tree

3 files changed

+9
-3
lines changed

3 files changed

+9
-3
lines changed

manifests/0000_50_olm_00-namespace.yaml

+3-1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@ kind: Namespace
33
metadata:
44
name: openshift-operator-lifecycle-manager
55
labels:
6+
pod-security.kubernetes.io/enforce: restricted
7+
pod-security.kubernetes.io/enforce-version: "v1.24"
68
openshift.io/scc: "anyuid"
79
openshift.io/cluster-monitoring: "true"
810
annotations:
@@ -16,7 +18,7 @@ kind: Namespace
1618
metadata:
1719
name: openshift-operators
1820
labels:
19-
pod-security.kubernetes.io/enforce: baseline
21+
pod-security.kubernetes.io/enforce: privileged
2022
pod-security.kubernetes.io/enforce-version: "v1.24"
2123
openshift.io/scc: "anyuid"
2224
annotations:

scripts/generate_crds_manifests.sh

+2-1
Original file line numberDiff line numberDiff line change
@@ -402,4 +402,5 @@ add_ibm_managed_cloud_annotations "${ROOT_DIR}/manifests"
402402
find "${ROOT_DIR}/manifests" -type f -exec $SED -i "/^#/d" {} \;
403403
find "${ROOT_DIR}/manifests" -type f -exec $SED -i "1{/---/d}" {} \;
404404

405-
${YQ} delete --inplace -d'0' manifests/0000_50_olm_00-namespace.yaml 'metadata.labels."pod-security.kubernetes.io/enforce*"'
405+
# (anik120): uncomment this once https://issues.redhat.com/browse/OLM-2695 is Done.
406+
#${YQ} delete --inplace -d'1' manifests/0000_50_olm_00-namespace.yaml 'metadata.labels."pod-security.kubernetes.io/enforce*"'

values.yaml

+4-1
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,13 @@
11
installType: ocp
22
rbacApiVersion: rbac.authorization.k8s.io
33
namespace: openshift-operator-lifecycle-manager
4+
namespace_psa:
5+
enforceLevel: restricted
6+
enforceVersion: '"v1.24"'
47
catalog_namespace: openshift-marketplace
58
operator_namespace: openshift-operators
69
operator_namespace_psa:
7-
enforceLevel: baseline
10+
enforceLevel: privileged
811
enforceVersion: '"v1.24"'
912
imagestream: true
1013
writeStatusName: operator-lifecycle-manager

0 commit comments

Comments
 (0)