gitops-operator icon indicating copy to clipboard operation
gitops-operator copied to clipboard

Published 20 hours ago verified publisher icon redhat-developer

PSA: add restricted labels to openshift-gitops namespace

Open ibihim opened this issue 1 year ago • 6 comments

What type of PR is this?

/kind enhancement

What does this PR do / why we need it:

Add pod security policy restricted to the openshift-gitops namespace.

openshift-prefixed namespaces are not managed by the pod security policy sync controller, which sets pod security labels automatically for the users. It is expected that openshift namespaces consciously pick their security stance.

This means, that if pod security labels are not set, the defaults from the global config are being applied, which are set to restricted.

I am adding the SCC restricted-v2, such that the necessary SecurityContext should be set by SCC mutation.

It is related to the PR to upstream: https://github.com/argoproj-labs/argocd-operator/pull/1288.

Have you updated the necessary documentation?

  • [ ] Documentation update is required by this PR.
  • [ ] Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?

Test acceptance criteria:

  • [ ] Unit Test
  • [ ] E2E Test

How to test changes / Special notes to the reviewer:

  • Workloads should work as before.
  • openshift-gitops namespace should have the labels set in this PR.

ibihim avatar Apr 08 '24 17:04 ibihim

Hi @ibihim. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Apr 08 '24 17:04 openshift-ci[bot]

/retest-required

ibihim avatar Apr 26 '24 12:04 ibihim

@ibihim: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/retest-required

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci[bot] avatar Apr 26 '24 12:04 openshift-ci[bot]

/ok-to-test

svghadi avatar May 17 '24 04:05 svghadi

/lgtm /approve

iam-veeramalla avatar May 29 '24 17:05 iam-veeramalla

/lgtm /approve

iam-veeramalla avatar May 29 '24 17:05 iam-veeramalla

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: iam-veeramalla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci[bot] avatar May 29 '24 17:05 openshift-ci[bot]

/test v4.13-e2e

svghadi avatar May 30 '24 00:05 svghadi

/retest

svghadi avatar May 30 '24 03:05 svghadi

/test v4.14-e2e

svghadi avatar May 30 '24 05:05 svghadi

/retest

svghadi avatar May 30 '24 11:05 svghadi

/lgtm

svghadi avatar May 30 '24 12:05 svghadi