Enforce privileged PSA by default #4832

Evan-Reilly · 2024-10-01T14:26:20Z

What this PR does / why we need it:
OpenShiftPodSecurityAdmission feature gate is not enabled by default in 4.17 any longer: https://github.com/openshift/api/blob/release-4.17/features/features.go, openshift/api#2018. Therefore, to ensure namespace security is not enforcing restricted by default any longer, this PR is required to properly enforce privileged PSA by default.

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

Subject and description added to both, commit and PR.
Relevant issues have been referenced.
This change includes docs.
This change includes unit tests.

4.17 is still not restricted by default, this change is required to properly go back to enforcing privileged by default

openshift-ci · 2024-10-01T14:27:07Z

Hi @Evan-Reilly. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci · 2024-10-01T14:27:48Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Evan-Reilly
Once this PR has been reviewed and has the lgtm label, please assign muraee for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

rtheis

Please move this to release-4.17 only.

rtheis · 2024-10-01T14:33:30Z

/hold

Enforce privileged PSA by default

7602eb0

4.17 is still not restricted by default, this change is required to properly go back to enforcing privileged by default

openshift-ci bot added do-not-merge/needs-area needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 1, 2024

openshift-ci bot requested review from enxebre and isco-rodriguez October 1, 2024 14:27

openshift-ci bot added the area/control-plane-operator Indicates the PR includes changes for the control plane operator - in an OCP release label Oct 1, 2024

openshift-ci bot removed the do-not-merge/needs-area label Oct 1, 2024

rtheis suggested changes Oct 1, 2024

View reviewed changes

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 1, 2024

openshift-ci bot assigned rtheis Oct 1, 2024

Evan-Reilly closed this Oct 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enforce privileged PSA by default #4832

Enforce privileged PSA by default #4832

Evan-Reilly commented Oct 1, 2024

openshift-ci bot commented Oct 1, 2024

openshift-ci bot commented Oct 1, 2024

rtheis left a comment

rtheis commented Oct 1, 2024

Enforce privileged PSA by default #4832

Enforce privileged PSA by default #4832

Conversation

Evan-Reilly commented Oct 1, 2024

openshift-ci bot commented Oct 1, 2024

openshift-ci bot commented Oct 1, 2024

rtheis left a comment

Choose a reason for hiding this comment

rtheis commented Oct 1, 2024