Default to legacy psa settings (#273)

The catalogSource api was recently updated to support running the
associated pod in a "restricted" workflow as defined by the Pod Security
Admission controller. By default, the catalogSource pods have been
configured to run in "restricted" mode, which is disruptive to customers
managing and deploying their own catalogSources as they need to rebuild
their catalogs to run in "restricted" mode if a namespace is marked as
"restricted".

In an effort to provide users with a bit more time to rebuilt their
catalogSources, this change configures catalogSources to run in "legacy"
mode by default. A series of other changes will be made to update the
namespaces associated with marketplace and olm  to support
catalogSources running in "legacy" mode by default.

Signed-off-by: Alexander Greene <[email protected]>

Author: awgreene

manifests/0000_50_olm_00-catalogsources.crd.yaml

@@ -82,9 +82,9 @@ spec:
                       description: If specified, indicates the pod's priority. If not specified, the pod priority will be default or zero if there is no default.
                       type: string
                     securityContextConfig:
-                      description: 'SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource''s pod is either injected with the right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod Security Admission(PSA) controller''s `restricted` mode, or doesn''t set these values at all, in which case the pod can only be run in PSA `baseline` or `privileged` namespaces. By default, SecurityContextConfig is set to `restricted`. If the value is unspecified, the default value of `restricted` is used.  Specifying any other value will result in a validation error. When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be set to `legacy`. More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'''
+                      description: "SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be set to `legacy`. \n In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes. \n More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'"
                       type: string
-                      default: restricted
+                      default: legacy
                       enum:
                         - legacy
                         - restricted

staging/api/crds/operators.coreos.com_catalogsources.yaml

@@ -80,9 +80,9 @@ spec:
                       description: If specified, indicates the pod's priority. If not specified, the pod priority will be default or zero if there is no default.
                       type: string
                     securityContextConfig:
-                      description: 'SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource''s pod is either injected with the right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod Security Admission(PSA) controller''s `restricted` mode, or doesn''t set these values at all, in which case the pod can only be run in PSA `baseline` or `privileged` namespaces. By default, SecurityContextConfig is set to `restricted`. If the value is unspecified, the default value of `restricted` is used.  Specifying any other value will result in a validation error. When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be set to `legacy`. More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'''
+                      description: "SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be set to `legacy`. \n In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes. \n More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'"
                       type: string
-                      default: restricted
+                      default: legacy
                       enum:
                         - legacy
                         - restricted

staging/api/crds/zz_defs.go

@@ -120,17 +120,21 @@ type GrpcPodConfig struct {
 	// +optional
 	PriorityClassName *string `json:"priorityClassName,omitempty"`
 
-	// SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with
-	// the right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in
-	// Pod Security Admission(PSA) controller's `restricted` mode, or doesn't set these values at all, in which case the pod
-	// can only be run in PSA `baseline` or `privileged` namespaces. By default, SecurityContextConfig is set to `restricted`.
-	// If the value is unspecified, the default value of `restricted` is used.  Specifying any other value will result in a
-	// validation error. When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig
-	// should be set to `legacy`.
+	// SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the
+	// right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod
+	// Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be
+	// run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default
+	// value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error.
+	// When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be
+	// set to `legacy`.
+	//
+	// In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs
+	// with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes.
+	//
 	// More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
 	// +optional
 	// +kubebuilder:validation:Enum=legacy;restricted
-	// +kubebuilder:default:=restricted
+	// +kubebuilder:default:=legacy
 	SecurityContextConfig SecurityConfig `json:"securityContextConfig,omitempty"`
 }