Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 (fix): update PSA versions to match Kubernetes API version #3524

Merged
merged 1 commit into from
Feb 28, 2025
Merged

🐛 (fix): update PSA versions to match Kubernetes API version #3524

merged 1 commit into from
Feb 28, 2025

Conversation

camilamacedo86
Copy link
Contributor

@camilamacedo86 camilamacedo86 commented Feb 25, 2025
edited
Loading

In this commit, a new Makefile target update-k8s-values was created to automatically update the
pod-security.kubernetes.io/*-version values (enforceVersion, auditVersion, warnVersion)
in the Helm chart's values.yaml file.

These values now align with the Kubernetes API version defined in go.mod, instead of using latest. This ensures better compatibility and avoids issues with unsupported versions in Kubernetes PSA.

@camilamacedo86 camilamacedo86 force-pushed the update-k8s-psa-version-based-go-mod branch from 7c523ea to bf22f4d Compare February 25, 2025 17:43
@camilamacedo86 camilamacedo86 changed the title 🐛 (fix): 'pod-security.kubernetes.io/*-version' should use supported k8s version instead of latest 🐛 (fix): update PSA versions to match Kubernetes API version Feb 25, 2025
@camilamacedo86 camilamacedo86 force-pushed the update-k8s-psa-version-based-go-mod branch 2 times, most recently from d0e7f44 to a427abf Compare February 25, 2025 20:46
@kevinrizza
Copy link
Member

@camilamacedo86 I think this change looks okay, but if we're going to touch these anyway, does it make sense for us to revisit #2906 at this point? We've default to baseline enforcement for the last ~2 years. At this point I expect that everyone should be using catalog binaries that can handle restricted enforcement

Maybe not part of this pr, but should we create an issue?

@camilamacedo86
fix: update PSA versions to match Kubernetes API version
5b4222f 
In this commit, a new Makefile target `update-k8s-values` was created to automatically update the
`pod-security.kubernetes.io/*-version` values (`enforceVersion`, `auditVersion`, `warnVersion`)
in the Helm chart's `values.yaml` file.

These values now align with the Kubernetes API version defined in `go.mod`, instead of using `latest`. This ensures better compatibility and avoids issues with unsupported versions in Kubernetes PSA.
@camilamacedo86 camilamacedo86 force-pushed the update-k8s-psa-version-based-go-mod branch from a427abf to 5b4222f Compare February 28, 2025 16:08
@camilamacedo86
Copy link
Contributor Author

Hi @kevinrizza

Thank you for the help!
Regards: #3524 (comment)
Just to confirm my understanding, we should be using restricted instead of baseline.
We can do that in a follow up, because we need to cherry-pick it for old OCP versions.
But I will look on that.

perdasilva
perdasilva approved these changes Feb 28, 2025
View reviewed changes
Copy link
Collaborator

@perdasilva perdasilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you ^^

@camilamacedo86 camilamacedo86 mentioned this pull request Feb 28, 2025
Open
anik120
anik120 approved these changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@anik120 anik120 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

At this point I expect that everyone should be using catalog binaries that can handle restricted enforcement

Note that we'll have to dig up why exactly the catalog binaries weren't able to handle the restricted environment, to confirm to ourselves that our customers are off of that issue (I can't remember off the top of my head what exactly the issue was)

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 28, 2025
@camilamacedo86 camilamacedo86 added this pull request to the merge queue Feb 28, 2025
Merged via the queue into operator-framework:master with commit efe3a9a Feb 28, 2025
12 checks passed
@camilamacedo86 camilamacedo86 deleted the update-k8s-psa-version-based-go-mod branch February 28, 2025 17:56
@jianzhangbjz
Copy link
Contributor

Based on https://redhat-internal.slack.com/archives/C06KP34REFJ/p1741224828143489?thread_ts=1739880491.760029&cid=C06KP34REFJ, we are fine to leave our namespace manifest with latest since it doesn't appear hypershift is using it, "latest" means the-version-of-the-control-plane-that-is-running-psa-logic-for-this-namespace. So these pinning PRs appear not needed. So, we should revert this PR.

we should revert this change.

camilamacedo86 added a commit that referenced this pull request Mar 6, 2025
@camilamacedo86
Revert "fix: update PSA versions to match Kubernetes API version (#3524
000aec4 
…)"

This reverts commit efe3a9a.
@camilamacedo86 camilamacedo86 mentioned this pull request Mar 6, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Mar 6, 2025
@camilamacedo86
Revert "fix: update PSA versions to match Kubernetes API version (#3524
459c1f4 
…)" (#3530)

This reverts commit efe3a9a.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@perdasilva perdasilva perdasilva approved these changes

@anik120 anik120 anik120 approved these changes

@akihikokuroda akihikokuroda Awaiting requested review from akihikokuroda

@grokspawn grokspawn Awaiting requested review from grokspawn

Assignees

@anik120 anik120

Labels
lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@camilamacedo86 @kevinrizza @jianzhangbjz @perdasilva @anik120