Skip to content

Commit d4a546c

Browse files
camilamacedo86camilamacedo86
committed
Enforce PSA for restricted instead of baseline
We've defaulted to baseline enforcement for the last ~2 years. At this point, I expect that everyone should be using catalog binaries that can handle restricted enforcement.
1 parent d8975fb commit d4a546c

File tree

3 files changed

+5
-5
lines changed

3 files changed

+5
-5
lines changed

deploy/chart/values.yaml

+2-2
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ rbacApiVersion: rbac.authorization.k8s.io
22
namespace: operator-lifecycle-manager
33
# see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
44
namespace_psa:
5-
enforceLevel: baseline
5+
enforceLevel: restricted
66
enforceVersion: latest
77
auditLevel: restricted
88
auditVersion: latest
@@ -12,7 +12,7 @@ catalog_namespace: operator-lifecycle-manager
1212
operator_namespace: operators
1313
# see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
1414
operator_namespace_psa:
15-
enforceLevel: baseline
15+
enforceLevel: restricted
1616
enforceVersion: latest
1717
minKubeVersion: 1.11.0
1818
writeStatusName: '""'

deploy/upstream/values.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ catalog_namespace: olm
99
operator_namespace: operators
1010
# see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
1111
operator_namespace_psa:
12-
enforceLevel: baseline
12+
enforceLevel: restricted
1313
enforceVersion: latest
1414
imagestream: false
1515
writeStatusName: '""'

test/e2e/catalog_e2e_test.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -1538,7 +1538,7 @@ var _ = Describe("Starting CatalogSource e2e tests", Label("CatalogSource"), fun
15381538
})
15391539
})
15401540
})
1541-
When("The namespace is labled as Pod Security Admission policy enforce:baseline", func() {
1541+
When("The namespace is labled as Pod Security Admission policy enforce:restricted", func() {
15421542
BeforeEach(func() {
15431543
var err error
15441544
testNS := &corev1.Namespace{}
@@ -1551,7 +1551,7 @@ var _ = Describe("Starting CatalogSource e2e tests", Label("CatalogSource"), fun
15511551
}).Should(BeNil())
15521552

15531553
testNS.ObjectMeta.Labels = map[string]string{
1554-
"pod-security.kubernetes.io/enforce": "baseline",
1554+
"pod-security.kubernetes.io/enforce": "restricted",
15551555
"pod-security.kubernetes.io/enforce-version": "latest",
15561556
}
15571557

0 commit comments

Comments
 (0)