openshift
diff --git a/Diff for: ‎manifests/0000_50_olm_00-namespace.yaml
+7-5 b/Diff for: ‎manifests/0000_50_olm_00-namespace.yaml
+7-5
diff --git a/Diff for: ‎manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
-1 b/Diff for: ‎manifests/0000_50_olm_06-psm-operator.deployment.ibm-cloud-managed.yaml
-1
diff --git a/Diff for: ‎manifests/0000_50_olm_06-psm-operator.deployment.yaml
-1 b/Diff for: ‎manifests/0000_50_olm_06-psm-operator.deployment.yaml
-1
diff --git a/Diff for: ‎manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml
+8-9 b/Diff for: ‎manifests/0000_50_olm_07-olm-operator.deployment.ibm-cloud-managed.yaml
+8-9
diff --git a/Diff for: ‎manifests/0000_50_olm_07-olm-operator.deployment.yaml
+8-9 b/Diff for: ‎manifests/0000_50_olm_07-olm-operator.deployment.yaml
+8-9
diff --git a/Diff for: ‎manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml
+9-9 b/Diff for: ‎manifests/0000_50_olm_08-catalog-operator.deployment.ibm-cloud-managed.yaml
+9-9
diff --git a/Diff for: ‎manifests/0000_50_olm_08-catalog-operator.deployment.yaml
+9-9 b/Diff for: ‎manifests/0000_50_olm_08-catalog-operator.deployment.yaml
+9-9
diff --git a/Diff for: ‎pkg/manifests/csv.yaml
+8-9 b/Diff for: ‎pkg/manifests/csv.yaml
+8-9
diff --git a/Diff for: ‎scripts/catalog-deployment.patch.yaml
-1 b/Diff for: ‎scripts/catalog-deployment.patch.yaml
-1
diff --git a/Diff for: ‎scripts/generate_crds_manifests.sh
+2-1 b/Diff for: ‎scripts/generate_crds_manifests.sh
+2-1
diff --git a/Diff for: ‎scripts/olm-deployment.patch.yaml
-1 b/Diff for: ‎scripts/olm-deployment.patch.yaml
-1
diff --git a/Diff for: ‎scripts/packageserver-deployment.patch.yaml
-1 b/Diff for: ‎scripts/packageserver-deployment.patch.yaml
-1
diff --git a/Diff for: ‎staging/operator-lifecycle-manager/Dockerfile
+1 b/Diff for: ‎staging/operator-lifecycle-manager/Dockerfile
+1
diff --git a/Diff for: ‎staging/operator-lifecycle-manager/Dockerfile.goreleaser
+1 b/Diff for: ‎staging/operator-lifecycle-manager/Dockerfile.goreleaser
+1
diff --git a/Diff for: ‎staging/operator-lifecycle-manager/cmd/catalog/main.go
+6 b/Diff for: ‎staging/operator-lifecycle-manager/cmd/catalog/main.go
+6
diff --git a/Diff for: ‎staging/operator-lifecycle-manager/cmd/catalog/start.go
+2 b/Diff for: ‎staging/operator-lifecycle-manager/cmd/catalog/start.go
+2
diff --git a/Diff for: ‎staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_00-namespace.yaml
+10 b/Diff for: ‎staging/operator-lifecycle-manager/deploy/chart/templates/0000_50_olm_00-namespace.yaml
+10
@@ -2,23 +2,25 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-operator-lifecycle-manager
+  labels:
+    openshift.io/scc: "anyuid"
+    openshift.io/cluster-monitoring: "true"
   annotations:
     openshift.io/node-selector: ""
     workload.openshift.io/allowed: "management"
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
-  labels:
-    openshift.io/scc: "anyuid"
-    openshift.io/cluster-monitoring: "true"
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: openshift-operators
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: "v1.24"
+    openshift.io/scc: "anyuid"
   annotations:
     openshift.io/node-selector: ""
     workload.openshift.io/allowed: "management"
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
-  labels:
-    openshift.io/scc: "anyuid"
 
@@ -23,7 +23,6 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        runAsUser: 65534
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
 
@@ -23,7 +23,6 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        runAsUser: 65534
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
 
@@ -21,6 +21,10 @@ spec:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
         - name: srv-cert
@@ -31,6 +35,10 @@ spec:
             secretName: pprof-cert
       containers:
         - name: olm-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           volumeMounts:
             - name: srv-cert
               mountPath: "/srv-cert"
@@ -84,10 +92,6 @@ spec:
             requests:
               cpu: 10m
               memory: 160Mi
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -103,8 +107,3 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-        seccompProfile:
-          type: RuntimeDefault
@@ -21,6 +21,10 @@ spec:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
         - name: srv-cert
@@ -31,6 +35,10 @@ spec:
             secretName: pprof-cert
       containers:
         - name: olm-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           volumeMounts:
             - name: srv-cert
               mountPath: "/srv-cert"
@@ -84,10 +92,6 @@ spec:
             requests:
               cpu: 10m
               memory: 160Mi
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
@@ -104,8 +108,3 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-        seccompProfile:
-          type: RuntimeDefault
@@ -21,6 +21,10 @@ spec:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
         - name: srv-cert
@@ -31,6 +35,10 @@ spec:
             secretName: pprof-cert
       containers:
         - name: catalog-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           volumeMounts:
             - name: srv-cert
               mountPath: "/srv-cert"
@@ -55,6 +63,7 @@ spec:
             - /srv-cert/tls.key
             - --client-ca
             - /profile-collector-cert/tls.crt
+            - --set-workload-user-id=false
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           ports:
@@ -78,10 +87,6 @@ spec:
           env:
             - name: RELEASE_VERSION
               value: "0.0.1-snapshot"
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -97,8 +102,3 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-        seccompProfile:
-          type: RuntimeDefault
@@ -21,6 +21,10 @@ spec:
       annotations:
         target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
     spec:
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
         - name: srv-cert
@@ -31,6 +35,10 @@ spec:
             secretName: pprof-cert
       containers:
         - name: catalog-operator
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ["ALL"]
           volumeMounts:
             - name: srv-cert
               mountPath: "/srv-cert"
@@ -55,6 +63,7 @@ spec:
             - /srv-cert/tls.key
             - --client-ca
             - /profile-collector-cert/tls.crt
+            - --set-workload-user-id=false
           image: quay.io/operator-framework/olm@sha256:de396b540b82219812061d0d753440d5655250c621c753ed1dc67d6154741607
           imagePullPolicy: IfNotPresent
           ports:
@@ -78,10 +87,6 @@ spec:
           env:
             - name: RELEASE_VERSION
               value: "0.0.1-snapshot"
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop: ["ALL"]
       nodeSelector:
         kubernetes.io/os: linux
         node-role.kubernetes.io/master: ""
@@ -98,8 +103,3 @@ spec:
           operator: Exists
           tolerationSeconds: 120
       priorityClassName: system-cluster-critical
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 65534
-        seccompProfile:
-          type: RuntimeDefault
@@ -88,6 +88,10 @@ spec:
                   target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
                 creationTimestamp: null
               spec:
+                securityContext:
+                  runAsNonRoot: true
+                  seccompProfile:
+                    type: RuntimeDefault
                 serviceAccountName: olm-operator-serviceaccount
                 nodeSelector:
                   kubernetes.io/os: linux
@@ -106,6 +110,10 @@ spec:
                     tolerationSeconds: 120
                 containers:
                   - name: packageserver
+                    securityContext:
+                      allowPrivilegeEscalation: false
+                      capabilities:
+                        drop: ["ALL"]
                     command:
                       - /bin/package-server
                       - -v=4
@@ -136,10 +144,6 @@ spec:
                     volumeMounts:
                       - name: tmpfs
                         mountPath: /tmp
-                    securityContext:
-                      allowPrivilegeEscalation: false
-                      capabilities:
-                        drop: ["ALL"]
                 volumes:
                   - name: tmpfs
                     emptyDir: {}
@@ -154,11 +158,6 @@ spec:
                               values:
                                 - packageserver
                         topologyKey: "kubernetes.io/hostname"
-                securityContext:
-                  runAsNonRoot: true
-                  runAsUser: 65534
-                  seccompProfile:
-                    type: RuntimeDefault
   maturity: alpha
   version: 0.19.0
   apiservicedefinitions:
 
@@ -19,6 +19,5 @@
   path: spec.template.spec.securityContext
   value:
     runAsNonRoot: true
-    runAsUser: 65534
     seccompProfile:
       type: RuntimeDefault
@@ -133,7 +133,6 @@ spec:
     spec:
       securityContext:
         runAsNonRoot: true
-        runAsUser: 65534
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
@@ -402,3 +401,5 @@ add_ibm_managed_cloud_annotations "${ROOT_DIR}/manifests"
 
 find "${ROOT_DIR}/manifests" -type f -exec $SED -i "/^#/d" {} \;
 find "${ROOT_DIR}/manifests" -type f -exec $SED -i "1{/---/d}" {} \;
+
+${YQ} delete --inplace -d'0' manifests/0000_50_olm_00-namespace.yaml 'metadata.labels."pod-security.kubernetes.io/enforce*"'
@@ -27,6 +27,5 @@
   path: spec.template.spec.securityContext
   value:
     runAsNonRoot: true
-    runAsUser: 65534
     seccompProfile:
       type: RuntimeDefault
@@ -43,6 +43,5 @@
   path: spec.install.spec.deployments[0].spec.template.spec.securityContext
   value:
     runAsNonRoot: true
-    runAsUser: 65534
     seccompProfile:
       type: RuntimeDefault
@@ -33,6 +33,7 @@ COPY --from=builder /build/bin/olm /bin/olm
 COPY --from=builder /build/bin/catalog /bin/catalog
 COPY --from=builder /build/bin/package-server /bin/package-server
 COPY --from=builder /build/bin/cpb /bin/cpb
+USER 1001
 EXPOSE 8080
 EXPOSE 5443
 CMD ["/bin/olm"]
@@ -10,4 +10,5 @@ COPY package-server /bin/package-server
 COPY cpb /bin/cpb
 EXPOSE 8080
 EXPOSE 5443
+USER 1001
 ENTRYPOINT ["/bin/olm"]
@@ -30,6 +30,7 @@ const (
 	defaultOPMImage             = "quay.io/operator-framework/upstream-opm-builder:latest"
 	defaultUtilImage            = "quay.io/operator-framework/olm:latest"
 	defaultOperatorName         = ""
+	defaultWorkLoadUserID       = int64(1001)
 )
 
 // config flags defined globally so that they appear on the test binary as well
@@ -83,6 +84,10 @@ func (o *options) run(ctx context.Context, logger *logrus.Logger) error {
 		return fmt.Errorf("error configuring client: %s", err.Error())
 	}
 
+	workloadUserID := int64(-1)
+	if o.setWorkloadUserID {
+		workloadUserID = defaultWorkLoadUserID
+	}
 	// TODO(tflannag): Use options pattern for catalog operator
 	// Create a new instance of the operator.
 	op, err := catalog.NewOperator(
@@ -98,6 +103,7 @@ func (o *options) run(ctx context.Context, logger *logrus.Logger) error {
 		k8sscheme.Scheme,
 		o.installPlanTimeout,
 		o.bundleUnpackTimeout,
+		workloadUserID,
 	)
 	if err != nil {
 		return fmt.Errorf("error configuring catalog operator: %s", err.Error())
 
@@ -25,6 +25,7 @@ type options struct {
 	tlsKeyPath           string
 	tlsCertPath          string
 	clientCAPath         string
+	setWorkloadUserID    bool
 
 	installPlanTimeout  time.Duration
 	bundleUnpackTimeout time.Duration
@@ -66,6 +67,7 @@ func newRootCmd() *cobra.Command {
 	cmd.Flags().StringVar(&o.opmImage, "opmImage", defaultOPMImage, "the image to use for unpacking bundle content with opm")
 	cmd.Flags().StringVar(&o.utilImage, "util-image", defaultUtilImage, "an image containing custom olm utilities")
 	cmd.Flags().StringVar(&o.writeStatusName, "writeStatusName", defaultOperatorName, "ClusterOperator name in which to write status, set to \"\" to disable.")
+	cmd.Flags().BoolVar(&o.setWorkloadUserID, "set-workload-user-id", false, "set user ID for all workloads (registry pods/bundle unpack jobs to default 1001")
 
 	cmd.Flags().BoolVar(&o.debug, "debug", false, "use debug log level")
 	cmd.Flags().BoolVar(&o.version, "version", false, "displays the olm version")
 
@@ -2,9 +2,19 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.namespace }}
+  labels: 
+    {{- if .Values.namespace_psa }}
+    pod-security.kubernetes.io/enforce: {{ .Values.namespace_psa.enforceLevel }}
+    pod-security.kubernetes.io/enforce-version: {{ .Values.namespace_psa.enforceVersion }}
+    {{- end }}
 
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.operator_namespace }}
+  labels:
+    {{- if .Values.operator_namespace_psa }}
+    pod-security.kubernetes.io/enforce: {{ .Values.operator_namespace_psa.enforceLevel }}
+    pod-security.kubernetes.io/enforce-version: {{ .Values.operator_namespace_psa.enforceVersion }}
+    {{- end }}