(manifests) configure manifests to comply to PSA restricted profile

Author: anik120

Diff for: manifests/0000_50_olm_00-namespace.yaml

@@ -15,10 +15,12 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-operators
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: "v1.24"
+    openshift.io/scc: "anyuid"
   annotations:
     openshift.io/node-selector: ""
     workload.openshift.io/allowed: "management"
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
-  labels:
-    openshift.io/scc: "anyuid"

Diff for: manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml

@@ -21,6 +21,10 @@ spec:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
         - name: srv-cert
@@ -31,6 +35,10 @@ spec:
             secretName: pprof-cert
       containers:
         - name: olm-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           volumeMounts:
             - name: srv-cert
               mountPath: "/srv-cert"
@@ -82,10 +90,6 @@ spec:
             requests:
               cpu: 10m
               memory: 160Mi
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -101,8 +105,3 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-        seccompProfile:
-          type: RuntimeDefault

Diff for: manifests/0000_50_olm_07-olm-operator.deployment.yaml

@@ -21,6 +21,10 @@ spec:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
         - name: srv-cert
@@ -31,6 +35,10 @@ spec:
             secretName: pprof-cert
       containers:
         - name: olm-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           volumeMounts:
             - name: srv-cert
               mountPath: "/srv-cert"
@@ -82,10 +90,6 @@ spec:
             requests:
               cpu: 10m
               memory: 160Mi
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
@@ -102,8 +106,3 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-        seccompProfile:
-          type: RuntimeDefault

Diff for: manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml

@@ -21,6 +21,10 @@ spec:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
         - name: srv-cert
@@ -31,6 +35,10 @@ spec:
             secretName: pprof-cert
       containers:
         - name: catalog-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           volumeMounts:
             - name: srv-cert
               mountPath: "/srv-cert"
@@ -55,6 +63,7 @@ spec:
             - /srv-cert/tls.key
             - --client-ca
             - /profile-collector-cert/tls.crt
+            - --set-workload-user-id=false
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           ports:
@@ -78,10 +87,6 @@ spec:
           env:
             - name: RELEASE_VERSION
               value: "0.0.1-snapshot"
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -97,8 +102,3 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-        seccompProfile:
-          type: RuntimeDefault

Diff for: manifests/0000_50_olm_08-catalog-operator.deployment.yaml

@@ -21,6 +21,10 @@ spec:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
         - name: srv-cert
@@ -31,6 +35,10 @@ spec:
             secretName: pprof-cert
       containers:
         - name: catalog-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           volumeMounts:
             - name: srv-cert
               mountPath: "/srv-cert"
@@ -55,6 +63,7 @@ spec:
             - /srv-cert/tls.key
             - --client-ca
             - /profile-collector-cert/tls.crt
+            - --set-workload-user-id=false
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           ports:
@@ -78,10 +87,6 @@ spec:
           env:
             - name: RELEASE_VERSION
               value: "0.0.1-snapshot"
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
@@ -98,8 +103,3 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-        seccompProfile:
-          type: RuntimeDefault

Diff for: pkg/manifests/csv.yaml

@@ -88,6 +88,10 @@ spec:
                   target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
                 creationTimestamp: null
               spec:
+                securityContext:
+                  runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
                 serviceAccountName: olm-operator-serviceaccount
                 nodeSelector:
                   kubernetes.io/os: linux
@@ -106,6 +110,10 @@ spec:
                     tolerationSeconds: 120
                 containers:
                   - name: packageserver
+                    securityContext:
+                      allowPrivilegeEscalation: false
+                      capabilities:
+                        drop: ["ALL"]
                     command:
                       - /bin/package-server
                       - -v=4
@@ -136,10 +144,6 @@ spec:
                     volumeMounts:
                       - name: tmpfs
                         mountPath: /tmp
-                    securityContext:
-                      allowPrivilegeEscalation: false
-                      capabilities:
-                        drop: ["ALL"]
                 volumes:
                   - name: tmpfs
                     emptyDir: {}
@@ -154,11 +158,6 @@ spec:
                               values:
                                 - packageserver
                         topologyKey: "kubernetes.io/hostname"
-                securityContext:
-                  runAsNonRoot: true
-                  runAsUser: 65534
-                  seccompProfile:
-                    type: RuntimeDefault
   maturity: alpha
   version: 0.19.0
   apiservicedefinitions:

Diff for: scripts/catalog-deployment.patch.yaml

@@ -19,6 +19,5 @@
   path: spec.template.spec.securityContext
   value:
     runAsNonRoot: true
-    runAsUser: 65534
     seccompProfile:
       type: RuntimeDefault

Diff for: scripts/olm-deployment.patch.yaml

@@ -19,6 +19,5 @@
   path: spec.template.spec.securityContext
   value:
     runAsNonRoot: true
-    runAsUser: 65534
     seccompProfile:
       type: RuntimeDefault

Diff for: scripts/packageserver-deployment.patch.yaml

@@ -43,6 +43,5 @@
   path: spec.install.spec.deployments[0].spec.template.spec.securityContext
   value:
     runAsNonRoot: true
-    runAsUser: 65534
     seccompProfile:
       type: RuntimeDefault

Diff for: staging/operator-lifecycle-manager/deploy/chart/values.yaml

@@ -1,15 +1,12 @@
 rbacApiVersion: rbac.authorization.k8s.io
 namespace: operator-lifecycle-manager
 # see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
-namespace_psa: 
-  enforceLevel: restricted
-  enforceVersion: latest
 catalog_namespace: operator-lifecycle-manager
 operator_namespace: operators
 # see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
 operator_namespace_psa: 
   enforceLevel: baseline
-  enforceVersion: latest
+  enforceVersion: '"v1.24"'
 minKubeVersion: 1.11.0
 writeStatusName: '""'
 imagestream: false
@@ -33,7 +30,7 @@ olm:
      memory: 160Mi
 
 catalog:
-  setWorkloadUserID: true
+  setWorkloadUserID: false
   replicaCount: 1
   commandArgs: --configmapServerImage=quay.io/operator-framework/configmap-operator-registry:latest
   image: