-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove default value of catsrc.spec.grpcPodConfig.securityContextConfig #342
remove default value of catsrc.spec.grpcPodConfig.securityContextConfig #342
Conversation
Signed-off-by: Joe Lanford <[email protected]>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #342 +/- ##
=======================================
Coverage 39.43% 39.43%
=======================================
Files 56 56
Lines 4516 4516
=======================================
Hits 1781 1781
Misses 2581 2581
Partials 154 154 ☔ View full report in Codecov by Sentry. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: acornett21, grokspawn, joelanford The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
5d2d3fb
into
operator-framework:master
|
||
|
||
More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/' | ||
type: string | ||
default: legacy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, one more question, why not set the default value to restricted
? Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new default is "it depends on what the namespace PSA enforcement is", not "restricted, period"
If we changed this to default to restricted
in the API, it would be impossible to have an implicit default based on some other condition of the cluster.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it, thanks!
In operator-framework/operator-lifecycle-manager#3206, we updated OLM to support an implicit default of a catalog pod's securityContextConfig, based on the PSA configuration of the namespace it is created in.
However, we overlooked the fact that the CatalogSource CRD specifies
legacy
as a default value. The result of this is that any catalog source with a non-nilspec.grpcPodConfig
that attempts to leavespec.grpcPodConfig.securityContextConfig
unset will be defaulted to legacy during admission.This PR fixes that by removing the default value in the CRD spec.