Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove default value of catsrc.spec.grpcPodConfig.securityContextConfig #342

Merged
merged 1 commit into from
Jun 13, 2024
Merged

remove default value of catsrc.spec.grpcPodConfig.securityContextConfig #342

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 5 additions & 9 deletions crds/operators.coreos.com_catalogsources.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1023,19 +1023,15 @@ spec:
SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the
right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod
Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be
run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default
value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error.
When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be
set to `legacy`.


In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs
with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes.
run in PSA `baseline` or `privileged` namespaces. If the SecurityContextConfig is unspecified, the mode will be
determined by the namespace's PSA configuration. If the namespace is enforcing `restricted` mode, then the pod
will be configured as if `restricted` was specified. Otherwise, it will be configured as if `legacy` was
specified. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older
catalog images, which can not run in `restricted` mode, the SecurityContextConfig should be set to `legacy`.


More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
type: string
default: legacy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, one more question, why not set the default value to restricted? Thanks!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new default is "it depends on what the namespace PSA enforcement is", not "restricted, period"

If we changed this to default to restricted in the API, it would be impossible to have an implicit default based on some other condition of the cluster.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, thanks!

enum:
- legacy
- restricted
Expand Down
Loading
Loading