OCPBUGS-4758: Unenforce PSA Restrictions

[awgreene]

OpenShift v4.12 had previously enforced PSA restrictions by defaults in and namespace prefixed with openshift-. This change has been delayed until OpenShift v4.13 and users should be allowed to run catalogs without restricted permissions in the openshift-marketplace namespace.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: awgreene

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [awgreene]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bparees]

lgtm

[joelanford]

Have we checked to see if this could be baseline instead of privileged and still support legacy catalog sources?

Suggested change

	pod-security.kubernetes.io/enforce: privileged
	pod-security.kubernetes.io/enforce: baseline

[joelanford]

Also, let's add the following?

pod-security.kubernetes.io/audit: restricted
pod-security.kubernetes.io/warn: restricted

[awgreene]

/retest

[anik120]

+1 to all of Joe's comments otherwise lgtm

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/test ci/prow/e2e-gcp-serial

[openshift-ci]

@awgreene: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

• /test e2e-gcp
• /test e2e-gcp-console-olm
• /test e2e-gcp-operator
• /test e2e-gcp-serial
• /test e2e-gcp-upgrade
• /test images
• /test okd-images
• /test okd-scos-images
• /test unit

The following commands are available to trigger optional jobs:

• /test okd-e2e-gcp
• /test okd-scos-e2e-gcp

Use /test all to run all jobs.

Details

In response to this:

/test ci/prow/e2e-gcp-serial

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[awgreene]

/retest

[openshift-ci-robot]

@awgreene: This pull request references Jira Issue OCPBUGS-3881, which is invalid:

• expected the bug to target the "4.13.0" version, but it targets "4.12.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

OpenShift v4.12 had previously enforced PSA restrictions by defaults in and namespace prefixed with openshift-. This change has been delayed until OpenShift v4.13 and users should be allowed to run catalogs without restricted permissions in the openshift-marketplace namespace.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[awgreene]

/retest

[awgreene]

/retest

[awgreene]

/retest

[openshift-ci]

@awgreene: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-gcp	0535e66	link	false	/test okd-scos-e2e-gcp

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[awgreene]

/test e2e-gcp-serial

[openshift-ci-robot]

@awgreene: This pull request references Jira Issue OCPBUGS-4758, which is invalid:

• expected the bug to target the "4.13.0" version, but it targets "4.13" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

OpenShift v4.12 had previously enforced PSA restrictions by defaults in and namespace prefixed with openshift-. This change has been delayed until OpenShift v4.13 and users should be allowed to run catalogs without restricted permissions in the openshift-marketplace namespace.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[awgreene]

/jira refresh

[openshift-ci-robot]

@awgreene: This pull request references Jira Issue OCPBUGS-4758, which is invalid:

• expected the bug to target the "4.13.0" version, but it targets "4.13.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[awgreene]

/jira refresh

[openshift-ci-robot]

@awgreene: This pull request references Jira Issue OCPBUGS-4758, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.13.0) matches configured target version for branch (4.13.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @jianzhangbjz

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[awgreene]

/override e2e-gcp-serial

[openshift-ci]

@awgreene: /override requires failed status contexts, check run or a prowjob name to operate on.
The following unknown contexts/checkruns were given:

• e2e-gcp-serial

Only the following failed contexts/checkruns were expected:

• ci/prow/e2e-gcp
• ci/prow/e2e-gcp-console-olm
• ci/prow/e2e-gcp-operator
• ci/prow/e2e-gcp-serial
• ci/prow/e2e-gcp-upgrade
• ci/prow/images
• ci/prow/okd-e2e-gcp
• ci/prow/okd-images
• ci/prow/okd-scos-e2e-gcp
• ci/prow/okd-scos-images
• ci/prow/unit
• pull-ci-operator-framework-operator-marketplace-master-e2e-gcp
• pull-ci-operator-framework-operator-marketplace-master-e2e-gcp-console-olm
• pull-ci-operator-framework-operator-marketplace-master-e2e-gcp-operator
• pull-ci-operator-framework-operator-marketplace-master-e2e-gcp-serial
• pull-ci-operator-framework-operator-marketplace-master-e2e-gcp-upgrade
• pull-ci-operator-framework-operator-marketplace-master-images
• pull-ci-operator-framework-operator-marketplace-master-okd-e2e-gcp
• pull-ci-operator-framework-operator-marketplace-master-okd-images
• pull-ci-operator-framework-operator-marketplace-master-okd-scos-e2e-gcp
• pull-ci-operator-framework-operator-marketplace-master-okd-scos-images
• pull-ci-operator-framework-operator-marketplace-master-unit
• tide

If you are trying to override a checkrun that has a space in it, you must put a double quote on the context.

Details

In response to this:

/override e2e-gcp-serial

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[awgreene]

The e2e-gcp-serial tests failed due to a slight disruption of services, which has been seen in:

• Other PRs
• Doc change only PRs

/override ci/prow/e2e-gcp-serial

[openshift-ci]

@awgreene: Overrode contexts on behalf of awgreene: ci/prow/e2e-gcp-serial

Details

In response to this:

The e2e-gcp-serial tests failed due to a slight disruption of services, which has been seen in:

• Other PRs
• Doc change only PRs

/override ci/prow/e2e-gcp-serial

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@awgreene: All pull requests linked via external trackers have merged:

• operator-framework/operator-marketplace#491

Jira Issue OCPBUGS-4758 has been moved to the MODIFIED state.

Details

In response to this:

OpenShift v4.12 had previously enforced PSA restrictions by defaults in and namespace prefixed with openshift-. This change has been delayed until OpenShift v4.13 and users should be allowed to run catalogs without restricted permissions in the openshift-marketplace namespace.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[awgreene]

/cherry-pick release-4.12

[openshift-cherrypick-robot]

@awgreene: new pull request created: #494

Details

In response to this:

/cherry-pick release-4.12

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.