OCPBUGS-4757: Default to legacy psa settings (#273) #420

awgreene · 2022-12-10T15:00:35Z

The catalogSource api was recently updated to support running the associated pod in a "restricted" workflow as defined by the Pod Security Admission controller. By default, the catalogSource pods have been configured to run in "restricted" mode, which is disruptive to customers managing and deploying their own catalogSources as they need to rebuild their catalogs to run in "restricted" mode if a namespace is marked as "restricted".

In an effort to provide users with a bit more time to rebuilt their catalogSources, this change configures catalogSources to run in "legacy" mode by default. A series of other changes will be made to update the namespaces associated with marketplace and olm to support catalogSources running in "legacy" mode by default.

Signed-off-by: Alexander Greene greene.al1991@gmail.com

awgreene · 2022-12-10T15:00:56Z

/hold until operator-framework/operator-marketplace#491 merges.

openshift-ci · 2022-12-10T15:01:04Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awgreene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [awgreene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2022-12-10T15:02:35Z

@awgreene: This pull request references Jira Issue OCPBUGS-3881, which is invalid:

expected the bug to target the "4.13.0" version, but it targets "4.12.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The catalogSource api was recently updated to support running the associated pod in a "restricted" workflow as defined by the Pod Security Admission controller. By default, the catalogSource pods have been configured to run in "restricted" mode, which is disruptive to customers managing and deploying their own catalogSources as they need to rebuild their catalogs to run in "restricted" mode if a namespace is marked as "restricted".

In an effort to provide users with a bit more time to rebuilt their catalogSources, this change configures catalogSources to run in "legacy" mode by default. A series of other changes will be made to update the namespaces associated with marketplace and olm to support catalogSources running in "legacy" mode by default.

Signed-off-by: Alexander Greene greene.al1991@gmail.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

awgreene · 2022-12-12T19:55:29Z

/retest

openshift-ci-robot · 2022-12-12T19:59:45Z

@awgreene: This pull request references Jira Issue OCPBUGS-4757, which is invalid:

expected the bug to target the "4.13.0" version, but it targets "4.13" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

The catalogSource api was recently updated to support running the associated pod in a "restricted" workflow as defined by the Pod Security Admission controller. By default, the catalogSource pods have been configured to run in "restricted" mode, which is disruptive to customers managing and deploying their own catalogSources as they need to rebuild their catalogs to run in "restricted" mode if a namespace is marked as "restricted".

In an effort to provide users with a bit more time to rebuilt their catalogSources, this change configures catalogSources to run in "legacy" mode by default. A series of other changes will be made to update the namespaces associated with marketplace and olm to support catalogSources running in "legacy" mode by default.

Signed-off-by: Alexander Greene greene.al1991@gmail.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

awgreene · 2022-12-12T20:00:22Z

/jira refresh

openshift-ci-robot · 2022-12-12T20:00:24Z

@awgreene: This pull request references Jira Issue OCPBUGS-4757, which is invalid:

expected the bug to target the "4.13.0" version, but it targets "4.13.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

awgreene · 2022-12-12T20:01:36Z

/jira refresh

openshift-ci-robot · 2022-12-12T20:01:42Z

@awgreene: This pull request references Jira Issue OCPBUGS-4757, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.13.0) matches configured target version for branch (4.13.0)
bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianzhangbjz

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jianzhangbjz · 2022-12-13T08:14:26Z

Verify failed, details: https://issues.redhat.com/browse/OCPBUGS-4757
/hold

awgreene · 2022-12-13T14:40:30Z

/retest

awgreene · 2022-12-13T19:15:25Z

This PR will need the upstream changes introduced here: operator-framework/operator-lifecycle-manager#2906

awgreene · 2022-12-15T03:52:30Z

/retest

The catalogSource api was recently updated to support running the associated pod in a "restricted" workflow as defined by the Pod Security Admission controller. By default, the catalogSource pods have been configured to run in "restricted" mode, which is disruptive to customers managing and deploying their own catalogSources as they need to rebuild their catalogs to run in "restricted" mode if a namespace is marked as "restricted". In an effort to provide users with a bit more time to rebuilt their catalogSources, this change configures catalogSources to run in "legacy" mode by default. A series of other changes will be made to update the namespaces associated with marketplace and olm to support catalogSources running in "legacy" mode by default. Signed-off-by: Alexander Greene <greene.al1991@gmail.com> Upstream-repository: api Upstream-commit: 9fe16de3fd69800828decd67cf41ba9c5c773106

awgreene · 2022-12-16T16:08:06Z

/test e2e-gcp-olm

With the recent changes to default to legacy mode, some distributions of OLM are unable to run as the catalogSources are running in legacy mode in restricted namespaces. This commit configures the catalogSource pods in the e2e suite to run in restricted mode. Signed-off-by: Alexander Greene <greene.al1991@gmail.com> Upstream-repository: operator-lifecycle-manager Upstream-commit: d82537cd54934878bb109fde5515e0efdf798e47

awgreene · 2022-12-17T04:02:45Z

/retest

awgreene · 2022-12-17T12:11:29Z

/retest

awgreene · 2022-12-17T15:28:16Z

/retest

awgreene · 2022-12-19T14:29:30Z

@jianzhangbjz this should be good for a retest.

perdasilva · 2022-12-19T16:39:55Z

staging/operator-lifecycle-manager/deploy/chart/values.yaml

+  auditLevel: restricted
+  auditVersion: latest
+  warnLevel: restricted
+  warnVersion: latest


are we sure we want latest here? there was a reason we pinned the version @anik120 do you remember it?

These are the upstream chart values, we actually unset the warn and audit bits here as the namespaces are restricted in OpenShift, which is not the case upstream.

perdasilva · 2022-12-19T17:39:30Z

/lgtm

jianzhangbjz · 2022-12-20T03:05:33Z

Retest it and It works well, details: https://issues.redhat.com/browse/OCPBUGS-4757
/unhold

jianzhangbjz · 2022-12-20T03:05:52Z

/label qe-approved

jianzhangbjz · 2022-12-20T03:05:59Z

/lgtm

openshift-ci · 2022-12-20T05:58:12Z

@awgreene: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci-robot · 2022-12-20T06:00:58Z

@awgreene: All pull requests linked via external trackers have merged:

openshift/operator-framework-olm#420

Jira Issue OCPBUGS-4757 has been moved to the MODIFIED state.

Details

In response to this:

The catalogSource api was recently updated to support running the associated pod in a "restricted" workflow as defined by the Pod Security Admission controller. By default, the catalogSource pods have been configured to run in "restricted" mode, which is disruptive to customers managing and deploying their own catalogSources as they need to rebuild their catalogs to run in "restricted" mode if a namespace is marked as "restricted".

In an effort to provide users with a bit more time to rebuilt their catalogSources, this change configures catalogSources to run in "legacy" mode by default. A series of other changes will be made to update the namespaces associated with marketplace and olm to support catalogSources running in "legacy" mode by default.

Signed-off-by: Alexander Greene greene.al1991@gmail.com

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

awgreene · 2022-12-20T14:33:48Z

/cherry-pick release-4.12

openshift-cherrypick-robot · 2022-12-20T14:34:36Z

@awgreene: new pull request created: #426

Details

In response to this:

/cherry-pick release-4.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

…enshift#420) Bumps the k8s-dependencies group with 1 update: [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime). Updates `sigs.k8s.io/controller-runtime` from 0.20.3 to 0.20.4 - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](kubernetes-sigs/controller-runtime@v0.20.3...v0.20.4) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch dependency-group: k8s-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Upstream-repository: api Upstream-commit: dbda0e39895ebdda2f29293ef4ad212f99217b8c

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 10, 2022

openshift-ci bot requested review from anik120 and benluddy December 10, 2022 15:01

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 10, 2022

awgreene changed the title ~~Default to legacy psa settings (#273)~~ OCPBUGS-3881: Default to legacy psa settings (#273) Dec 10, 2022

openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Dec 10, 2022

awgreene changed the title ~~OCPBUGS-3881: Default to legacy psa settings (#273)~~ OCPBUGS-4757: Default to legacy psa settings (#273) Dec 12, 2022

openshift-ci bot requested a review from jianzhangbjz December 12, 2022 20:01

awgreene force-pushed the bump-api branch 2 times, most recently from 7a78783 to ce0af1b Compare December 13, 2022 02:43

awgreene force-pushed the bump-api branch 3 times, most recently from 32283ce to 205562a Compare December 14, 2022 21:50

awgreene force-pushed the bump-api branch from 1ec24c4 to 6f8e290 Compare December 16, 2022 13:01

awgreene force-pushed the bump-api branch from 6f8e290 to 206ca27 Compare December 16, 2022 20:38

perdasilva reviewed Dec 19, 2022

View reviewed changes

openshift-ci bot assigned perdasilva Dec 19, 2022

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Dec 19, 2022

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 20, 2022

openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label Dec 20, 2022

openshift-ci bot assigned jianzhangbjz Dec 20, 2022

openshift-merge-robot merged commit 8203567 into openshift:master Dec 20, 2022

openshift-cherrypick-robot mentioned this pull request Dec 20, 2022

[release-4.12] OCPBUGS-3881: Default to legacy psa settings #426

Merged

tmshort mentioned this pull request Apr 30, 2025

OCPBUGS-53161, OPRUN-3880:Synchronize From Upstream Repositories #996

Merged

OCPBUGS-4757: Default to legacy psa settings (#273) #420

OCPBUGS-4757: Default to legacy psa settings (#273) #420

Uh oh!

Conversation

awgreene commented Dec 10, 2022

Uh oh!

awgreene commented Dec 10, 2022

Uh oh!

openshift-ci bot commented Dec 10, 2022

Uh oh!

openshift-ci-robot commented Dec 10, 2022

Uh oh!

awgreene commented Dec 12, 2022

Uh oh!

openshift-ci-robot commented Dec 12, 2022

Uh oh!

awgreene commented Dec 12, 2022

Uh oh!

openshift-ci-robot commented Dec 12, 2022

Uh oh!

awgreene commented Dec 12, 2022

Uh oh!

openshift-ci-robot commented Dec 12, 2022

Uh oh!

jianzhangbjz commented Dec 13, 2022

Uh oh!

awgreene commented Dec 13, 2022

Uh oh!

awgreene commented Dec 13, 2022

Uh oh!

awgreene commented Dec 15, 2022

Uh oh!

awgreene commented Dec 16, 2022

Uh oh!

awgreene commented Dec 17, 2022

Uh oh!

awgreene commented Dec 17, 2022

Uh oh!

awgreene commented Dec 17, 2022

Uh oh!

awgreene commented Dec 19, 2022

Uh oh!

perdasilva Dec 19, 2022

Choose a reason for hiding this comment

Uh oh!

awgreene Dec 19, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

perdasilva commented Dec 19, 2022

Uh oh!

jianzhangbjz commented Dec 20, 2022

Uh oh!

jianzhangbjz commented Dec 20, 2022

Uh oh!

jianzhangbjz commented Dec 20, 2022

Uh oh!

openshift-ci bot commented Dec 20, 2022

Uh oh!

openshift-ci-robot commented Dec 20, 2022

Uh oh!

awgreene commented Dec 20, 2022

Uh oh!

openshift-cherrypick-robot commented Dec 20, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

awgreene Dec 19, 2022 •

edited

Loading