OCPBUGS-43316: Enforce privileged PSA by default

[Evan-Reilly]

What this PR does / why we need it:
OpenShiftPodSecurityAdmission feature gate is not enabled by default in 4.17 any longer. Therefore, to ensure namespace security is not enforcing restricted by default any longer, this PR is required to properly enforce privileged PSA by default.

• https://github.com/openshift/api/blob/release-4.17/features/features.go
• features: disable PSA api#2018

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes https://issues.redhat.com/browse/OCPBUGS-43316

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

Hi @Evan-Reilly. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rtheis]

/ok-to-test

[rtheis]

@Evan-Reilly please take a look at the failures

[rtheis]

/lgtm

[rtheis]

/hold for changes based on https://ibm-argonauts.slack.com/archives/C01C8502FMM/p1727808157696799.

[rtheis]

/remove-hold

[rtheis]

@Evan-Reilly please fix the following test:

{Failed  === RUN   TestCreateClusterRequestServingIsolation/Main/EnsurePSANotPrivileged
    util.go:667: pod admitted when rejection was expected
    util.go:670: forbidden error expected, got %!s(<nil>)
        --- FAIL: TestCreateClusterRequestServingIsolation/Main/EnsurePSANotPrivileged (0.16s)
}

[rtheis]

/test verify

[rtheis]

Per our slack discussion, I think you need to first remove the test in a separate PR in order for PR testing to pass on this PR.

[rtheis]

#4855 will hopefully resolve this.

[rtheis]

/jira refresh

[openshift-ci-robot]

@rtheis: This pull request references Jira Issue OCPBUGS-43316, which is invalid:

• release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.
• expected Jira Issue OCPBUGS-43316 to depend on a bug targeting a version in 4.18.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rvanderp3]

/jira refresh

[openshift-ci-robot]

@rvanderp3: This pull request references Jira Issue OCPBUGS-43316, which is invalid:

• expected Jira Issue OCPBUGS-43316 to depend on a bug targeting a version in 4.18.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rvanderp3]

/jira refresh

[openshift-ci-robot]

@rvanderp3: This pull request references Jira Issue OCPBUGS-43316, which is invalid:

• expected the bug to target either version "4.17." or "openshift-4.17.", but it targets "4.18.0" instead
• expected Jira Issue OCPBUGS-43316 to depend on a bug targeting a version in 4.18.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rvanderp3]

/jira refresh

[openshift-ci-robot]

@rvanderp3: This pull request references Jira Issue OCPBUGS-43316, which is invalid:

• expected Jira Issue OCPBUGS-43316 to depend on a bug targeting a version in 4.18.0 and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sjenning]

/approve

[sjenning]

/hold

on review from hyperhift team. didn't really no one from our side had looked yet.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Evan-Reilly, rtheis, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sjenning]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sjenning]

/lgtm
/hold cancel

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 4785464 and 2 for PR HEAD d96393d in total

[openshift-ci]

@Evan-Reilly: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@Evan-Reilly: Jira Issue OCPBUGS-43316: All pull requests linked via external trackers have merged:

• openshift/hypershift#4834

Jira Issue OCPBUGS-43316 has been moved to the MODIFIED state.

In response to this:

What this PR does / why we need it:
OpenShiftPodSecurityAdmission feature gate is not enabled by default in 4.17 any longer. Therefore, to ensure namespace security is not enforcing restricted by default any longer, this PR is required to properly enforce privileged PSA by default.

• https://github.com/openshift/api/blob/release-4.17/features/features.go
• features: disable PSA api#2018

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes https://issues.redhat.com/browse/OCPBUGS-43316

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-bot]

[ART PR BUILD NOTIFIER]

Distgit: hypershift
This PR has been included in build ose-hypershift-container-v4.17.0-202410162336.p0.g93ca4ee.assembly.stream.el9.
All builds following this will include this PR.