OCPBUGS-4757: Default to legacy psa settings (#273) #420
Conversation
|
/hold until operator-framework/operator-marketplace#491 merges. |
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awgreene The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
awgreene
changed the title
|
@awgreene: This pull request references Jira Issue OCPBUGS-3881, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci-robot
added
the
jira/invalid-bug
|
/retest |
awgreene
changed the title
|
@awgreene: This pull request references Jira Issue OCPBUGS-4757, which is invalid:
Comment The bug has been updated to refer to the pull request using the external bug tracker. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@awgreene: This pull request references Jira Issue OCPBUGS-4757, which is invalid:
Comment In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
openshift-ci-robot
added
jira/valid-bug
|
@awgreene: This pull request references Jira Issue OCPBUGS-4757, which is valid. The bug has been moved to the POST state. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
awgreene
force-pushed
the
bump-api
branch
2 times, most recently
from
7a78783 to
ce0af1b
Compare
|
Verify failed, details: https://issues.redhat.com/browse/OCPBUGS-4757 |
|
/retest |
|
This PR will need the upstream changes introduced here: operator-framework/operator-lifecycle-manager#2906 |
awgreene
force-pushed
the
bump-api
branch
3 times, most recently
from
32283ce to
205562a
Compare
|
/retest |
The catalogSource api was recently updated to support running the associated pod in a "restricted" workflow as defined by the Pod Security Admission controller. By default, the catalogSource pods have been configured to run in "restricted" mode, which is disruptive to customers managing and deploying their own catalogSources as they need to rebuild their catalogs to run in "restricted" mode if a namespace is marked as "restricted". In an effort to provide users with a bit more time to rebuilt their catalogSources, this change configures catalogSources to run in "legacy" mode by default. A series of other changes will be made to update the namespaces associated with marketplace and olm to support catalogSources running in "legacy" mode by default. Signed-off-by: Alexander Greene <[email protected]> Upstream-repository: api Upstream-commit: 9fe16de3fd69800828decd67cf41ba9c5c773106
|
/retest |
awgreene
force-pushed
the
bump-api
branch
5 times, most recently
from
1ec24c4 to
6f8e290
Compare
|
/test e2e-gcp-olm |
With the recent changes to default to legacy mode, some distributions of OLM are unable to run as the catalogSources are running in legacy mode in restricted namespaces. This commit configures the catalogSource pods in the e2e suite to run in restricted mode. Signed-off-by: Alexander Greene <[email protected]> Upstream-repository: operator-lifecycle-manager Upstream-commit: d82537cd54934878bb109fde5515e0efdf798e47
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
@jianzhangbjz this should be good for a retest. |
| auditLevel: restricted | ||
| auditVersion: latest | ||
| warnLevel: restricted | ||
| warnVersion: latest |
There was a problem hiding this comment.
are we sure we want latest here? there was a reason we pinned the version @anik120 do you remember it?
There was a problem hiding this comment.
These are the upstream chart values, we actually unset the warn and audit bits here as the namespaces are restricted in OpenShift, which is not the case upstream.
|
/lgtm |
|
Retest it and It works well, details: https://issues.redhat.com/browse/OCPBUGS-4757 |
openshift-ci
bot
removed
the
do-not-merge/hold
|
/label qe-approved |
|
/lgtm |
openshift-ci
bot
added
the
qe-approved
|
@awgreene: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
@awgreene: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-4757 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cherry-pick release-4.12 |
|
@awgreene: new pull request created: #426 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The catalogSource api was recently updated to support running the associated pod in a "restricted" workflow as defined by the Pod Security Admission controller. By default, the catalogSource pods have been configured to run in "restricted" mode, which is disruptive to customers managing and deploying their own catalogSources as they need to rebuild their catalogs to run in "restricted" mode if a namespace is marked as "restricted".
In an effort to provide users with a bit more time to rebuilt their catalogSources, this change configures catalogSources to run in "legacy" mode by default. A series of other changes will be made to update the namespaces associated with marketplace and olm to support catalogSources running in "legacy" mode by default.
Signed-off-by: Alexander Greene [email protected]