Skip to content

[release-4.12] OCPBUGS-3881: Default to legacy psa settings #426

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Dec 21, 2022
Merged

[release-4.12] OCPBUGS-3881: Default to legacy psa settings #426

merged 4 commits into from
Dec 21, 2022

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #420

/assign awgreene

@awgreene
Default to legacy psa settings (openshift#273)
b39f4e4 
The catalogSource api was recently updated to support running the
associated pod in a "restricted" workflow as defined by the Pod Security
Admission controller. By default, the catalogSource pods have been
configured to run in "restricted" mode, which is disruptive to customers
managing and deploying their own catalogSources as they need to rebuild
their catalogs to run in "restricted" mode if a namespace is marked as
"restricted".

In an effort to provide users with a bit more time to rebuilt their
catalogSources, this change configures catalogSources to run in "legacy"
mode by default. A series of other changes will be made to update the
namespaces associated with marketplace and olm  to support
catalogSources running in "legacy" mode by default.

Signed-off-by: Alexander Greene <[email protected]>

Upstream-repository: api
Upstream-commit: 9fe16de3fd69800828decd67cf41ba9c5c773106
@awgreene
Default to legacy PSA settings (#2906)
8a9947a 
* Bump operator-framework/api v0.17.3

Signed-off-by: Alexander Greene <[email protected]>

* Default to legacy PSA settings

Problem: OLM recently introduced a few changes to default to running its
workloads in a restricted mode. As a part of these changes,
catalogSources built with earlier versions of OPM will not run as
expected unless the catalogSource yaml is configured to run in a legacy
version. Unfortunately, these legacy catalogs cannot be ran in
restricted namespaces, which includes the `olm` namespace which is used
to define global catalogSources.

Solution: Provide users ample time to convert to the new restricted
fromat by defaulting to legacy restrictions and reclassify the `olm`
namespace as a baseline privilege namespace.

Signed-off-by: Alexander Greene <[email protected]>

* Update chart values and generate manifests

Signed-off-by: Alexander Greene <[email protected]>

Upstream-repository: operator-lifecycle-manager
Upstream-commit: a0dab223ba55d714bc2f440dd7651870c37bc0c1
@awgreene
Generate Downstream Manifests
b25f1b6
@awgreene
Update e2e catalogSources to run in restricted mode (#2909)
a195dea 
With the recent changes to default to legacy mode, some distributions of
OLM are unable to run as the catalogSources are running in legacy mode
in restricted namespaces.

This commit configures the catalogSource pods in the e2e suite to run in
restricted mode.

Signed-off-by: Alexander Greene <[email protected]>

Upstream-repository: operator-lifecycle-manager
Upstream-commit: d82537cd54934878bb109fde5515e0efdf798e47
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Dec 20, 2022
Merged
@openshift-ci-robot
Copy link

@openshift-cherrypick-robot: Jira Issue OCPBUGS-4757 has been cloned as Jira Issue OCPBUGS-5071. Retitling PR to link against new bug.
/retitle [release-4.12] OCPBUGS-5071: Default to legacy psa settings (#273)

In response to this:

This is an automated cherry-pick of #420

/assign awgreene

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot changed the title [release-4.12] OCPBUGS-4757: Default to legacy psa settings (#273) [release-4.12] OCPBUGS-5071: Default to legacy psa settings (#273) Dec 20, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 20, 2022

@openshift-cherrypick-robot: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

In response to this:

[release-4.12] OCPBUGS-5071: Default to legacy psa settings (#273)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Dec 20, 2022
@openshift-ci-robot
Copy link

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-5071, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.12.0) matches configured target version for branch (4.12.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • dependent bug Jira Issue OCPBUGS-4757 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
  • dependent Jira Issue OCPBUGS-4757 targets the "4.13.0" version, which is one of the valid target versions: 4.13.0
  • bug has dependents

Requesting review from QA contact:
/cc @jianzhangbjz

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is an automated cherry-pick of #420

/assign awgreene

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@awgreene
Copy link
Contributor

/retitle [release-4.12] OCPBUGS-3881: Default to legacy psa settings

@openshift-ci openshift-ci bot changed the title [release-4.12] OCPBUGS-5071: Default to legacy psa settings (#273) [release-4.12] OCPBUGS-3881: Default to legacy psa settings Dec 20, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 20, 2022

@openshift-cherrypick-robot: No Bugzilla bug is referenced in the title of this pull request.
To reference a bug, add 'Bug XXX:' to the title of this pull request and request another bug refresh with /bugzilla refresh.

Retaining the bugzilla/valid-bug label as it was manually added.

In response to this:

[release-4.12] OCPBUGS-3881: Default to legacy psa settings

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. and removed jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Dec 20, 2022
@openshift-ci-robot
Copy link

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-3881, which is invalid:

  • expected Jira Issue OCPBUGS-3881 to depend on a bug targeting a version in 4.13.0 and in one of the following states: MODIFIED, ON_QA, VERIFIED, but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

This is an automated cherry-pick of #420

/assign awgreene

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@awgreene
Copy link
Contributor

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Dec 20, 2022
@openshift-ci-robot
Copy link

@awgreene: This pull request references Jira Issue OCPBUGS-3881, which is valid. The bug has been moved to the POST state.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.12.0) matches configured target version for branch (4.12.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
  • dependent bug Jira Issue OCPBUGS-4757 is in the state Verified, which is one of the valid states (MODIFIED, ON_QA, VERIFIED)
  • dependent Jira Issue OCPBUGS-4757 targets the "4.13.0" version, which is one of the valid target versions: 4.13.0
  • bug has dependents

Requesting review from QA contact:
/cc @jianzhangbjz

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@awgreene
Copy link
Contributor

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 20, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awgreene, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 20, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 20, 2022

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@awgreene
Copy link
Contributor

/label backport-risk-assesed

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 20, 2022

@awgreene: The label(s) /label backport-risk-assesed cannot be applied. These labels are supported: platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, downstream-change-needed, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/label backport-risk-assesed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@awgreene
Copy link
Contributor

/label backport-risk-assessed,

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Dec 20, 2022

@awgreene: The label(s) /label backport-risk-assessed, cannot be applied. These labels are supported: platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, downstream-change-needed, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/label backport-risk-assessed,

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@awgreene
Copy link
Contributor

/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Dec 20, 2022
@oceanc80
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 20, 2022
@jianzhangbjz
Copy link
Contributor

Test passed, details: https://issues.redhat.com/browse/OCPBUGS-3881
/label qe-approved
/label cherry-pick-approved

@openshift-ci openshift-ci bot added qe-approved Signifies that QE has signed off on this PR cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. labels Dec 21, 2022
@openshift-merge-robot openshift-merge-robot merged commit d6d2139 into openshift:release-4.12 Dec 21, 2022
@openshift-ci-robot
Copy link

@openshift-cherrypick-robot: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-3881 has been moved to the MODIFIED state.

In response to this:

This is an automated cherry-pick of #420

/assign awgreene

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jianzhangbjz jianzhangbjz Awaiting requested review from jianzhangbjz

@anik120 anik120 Awaiting requested review from anik120

@dinhxuanvu dinhxuanvu Awaiting requested review from dinhxuanvu

Assignees

@bandrade bandrade

@awgreene awgreene

@oceanc80 oceanc80

@jianzhangbjz jianzhangbjz

@kuiwang02 kuiwang02

@Xia-Zhao-rh Xia-Zhao-rh

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@openshift-cherrypick-robot @openshift-ci-robot @awgreene @oceanc80 @jianzhangbjz @bandrade @openshift-merge-robot @kuiwang02 @Xia-Zhao-rh