Skip to content

⚠️ Enforce PSA Restricted Level for CatalogSources (Drop Support for Catalogs built with opm < v1.21.0) #3526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

⚠️ Enforce PSA Restricted Level for CatalogSources (Drop Support for Catalogs built with opm < v1.21.0) #3526

wants to merge 1 commit into from
+5 −97

Conversation

camilamacedo86
Copy link
Contributor

@camilamacedo86 camilamacedo86 commented Feb 28, 2025
edited
Loading

What this PR does

This PR updates the OLM behavior to enforce the Pod Security Admission (PSA) level restricted instead of baseline. As a result, OLM will no longer support CatalogSources built with opm versions older than v1.21.0.

Why this matters

  • Security: Enforcing restricted PSA level aligns with modern security best practices, significantly reducing pod permissions and enhancing container isolation.
  • Compatibility: Older opm versions do not generate catalogs compatible with the restricted profile.
  • Modernization: The restricted profile is already the default in OpenShift 4.11+ (which aligns with our vendor versions), and support for older setups is increasingly unnecessary.

Impact

  • This change breaks compatibility with CatalogSources built using opm versions < v1.21.0.
  • One existing test checks backward compatibility with these versions. This PR removes that test as the use case is deprecated.

Motivation

For the last two years, we've defaulted to baseline enforcement. At this point, I expect everyone to use catalog binaries that can handle restricted enforcement.

Motivated by: #3524 (comment)

@camilamacedo86
Copy link
Contributor Author

Hi @ @kevinrizza @perdasilva

The follow up requested :-)

@kevinrizza
Copy link
Member

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 28, 2025
anik120
anik120 requested changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@anik120 anik120 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we confirm that we're okay with moving to restricted?

I'm concerned we'll take these changes downstream, and then hit the same issue we were facing 2 years ago and be forced to revert (and potentially back port)

@anik120
Copy link
Contributor

anik120 commented Feb 28, 2025

Looks like we might be facing an issue upstream too:

Summarizing 1 Failure:
  [FAIL] Starting CatalogSource e2e tests when The namespace is labled as Pod Security Admission policy enforce:restricted when A CatalogSource built with opm v1.21.0 (<v1.23.2)is created with spec.GrpcPodConfig.SecurityContextConfig set to legacy [It] The registry pod comes up successfully [CatalogSource]

Could be a flake too.
Again, without remembering what exactly the issue was 2 years ago it's hard to make an educated guess.

@camilamacedo86
Copy link
Contributor Author

@anik120

I updated this test: #3526 (comment) probably we need to remove or I did something wrong. But I agree we need to check this one properly.. we cannot only update. Thank you for call it out :-)

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 2, 2025
@anik120
Copy link
Contributor

anik120 commented Mar 5, 2025

@anik120

I updated this test: #3526 (comment) probably we need to remove or I did something wrong. But I agree we need to check this one properly.. we cannot only update. Thank you for call it out :-)

Right, it looks like the test is possibly actually telling us we're not ready to move to restricted yet.

@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 7, 2025
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label May 16, 2025
@camilamacedo86
Copy link
Contributor Author

camilamacedo86 commented May 16, 2025
edited
Loading

Hi @anik120

See the error:

[FAIL] Starting CatalogSource e2e tests when The namespace is labled as Pod Security Admission policy enforce:restricted when A CatalogSource built with opm v1.21.0 (<v1.23.2)is created with spec.GrpcPodConfig.SecurityContextConfig set to legacy [It] The registry pod comes up successfully

https://github.com/operator-framework/operator-lifecycle-manager/actions/runs/15064702811/job/42346975535?pr=3526

This failure is only in a test that checks if OLM works with CatalogSources built using older opm versions.

If we decide to move forward with this change motivated by the comment this comment , we should remove that test.

The key question is:
Are we okay dropping support in OLM latest for CatalogSources built with opm versions older than v1.21.0?
(which seems to me fine 👍 - It is a very old version, and the changes to enforce PodSecurityContext were introduced in the OCP vendor 4.11 and 4.12)

As mentioned in this comment by @kevinrizza, we may now be ready to do that.

✅ Yes — remove the test and move on.
❌ No — close the PR for now and revisit later.

Why this matters:

  • Older opm versions don’t work with enforceLevel: restricted,
  • We want to follow better security practices,
  • This would reduce permissions and make pods more secure.

Would love to hear from folks who can help make the call.
@joelanford @tmshort @perdasilva WDYT?

@perdasilva
Copy link
Collaborator

Hi @anik120

See the error:

[FAIL] Starting CatalogSource e2e tests when The namespace is labled as Pod Security Admission policy enforce:restricted when A CatalogSource built with opm v1.21.0 (<v1.23.2)is created with spec.GrpcPodConfig.SecurityContextConfig set to legacy [It] The registry pod comes up successfully

https://github.com/operator-framework/operator-lifecycle-manager/actions/runs/15064702811/job/42346975535?pr=3526

This failure is only in a test that checks if OLM works with CatalogSources built using older opm versions.

If we decide to move forward with this change motivated by the comment this comment , we should remove that test.

The key question is: Are we okay dropping support in OLM latest for CatalogSources built with opm versions older than v1.21.0? (which seems to me fine 👍 - It is a very old version, and the changes to enforce PodSecurityContext were introduced in the OCP vendor 4.11 and 4.12)

As mentioned in this comment by @kevinrizza, we may now be ready to do that.

✅ Yes — remove the test and move on. ❌ No — close the PR for now and revisit later.

Why this matters:

* Older opm versions don’t work with enforceLevel: restricted,

* We want to follow better security practices,

* This would reduce permissions and make pods more secure.

Would love to hear from folks who can help make the call. @joelanford @tmshort @perdasilva WDYT?

I think that's fine with me. It makes sense to move (and to only support) the more secure opm. It shouldn't be easily enough to move catalogs to a newer version of opm if this breaks some old installations somewhere, and to the benefit of the user... imo, I'm good with this.

@camilamacedo86 camilamacedo86 changed the title ⚠️ Enforce PSA for restricted instead of baseline ⚠️ Enforce PSA Restricted Level for CatalogSources (Drop Support for opm < v1.21.0) May 19, 2025
@camilamacedo86 camilamacedo86 changed the title ⚠️ Enforce PSA Restricted Level for CatalogSources (Drop Support for opm < v1.21.0) ⚠️ Enforce PSA Restricted Level for CatalogSources (Drop Support for Catalogs built with opm < v1.21.0) May 19, 2025
@camilamacedo86 camilamacedo86 requested a review from anik120 May 19, 2025 09:08
anik120
anik120 previously approved these changes May 19, 2025
View reviewed changes
Copy link
Contributor

@anik120 anik120 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, ack. Thanks for the context @camilamacedo86

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 19, 2025
@camilamacedo86
Enforce PSA Restricted Level for CatalogSources (Drop Support for Cat…
153d05d 
…alogs Built with opm < v1.21.0)

- enforce PSA restricted level
- remove tests for Catalogs built with opm < v1.21.0 to ensure compatibility with those that needs baseline permissions
@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label May 19, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 19, 2025

New changes are detected. LGTM label has been removed.

@camilamacedo86 camilamacedo86 enabled auto-merge May 19, 2025 21:06
@joelanford
Copy link
Member

This definitely needs an RFC since it is a breaking change. We need to carefully think through all of the implications. And we would ideally make a data driven decision about this. For example, Red Hat OCP collects telemetry. Can we tell how many CatalogSources are in baseline namespaces or how many explicitly set spec.grpcPodConfig.securityContextConfig: legacy?

Also this PR doesn't seem to actually do anything different with CatalogSources that use spec.grpcPodConfig.securityContextConfig: legacy`, so it doesn't feel like we're actually dropping support for those older catalogs. It's hard to tell what the intention is here based on a comparison of the PR changes and the PR description.

joelanford
joelanford requested changes May 19, 2025
View reviewed changes
Copy link
Member

@joelanford joelanford left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my above comment. I think we need a bit more due diligence and discussion to decide to make a breaking change.

@camilamacedo86
Copy link
Contributor Author

camilamacedo86 commented May 20, 2025
edited
Loading

Hi @joelanford

Thank you for your input. Following the answers inline.

Can we tell how many CatalogSources are in baseline namespaces or how many explicitly set spec.grpcPodConfig.securityContextConfig: legacy?

All Catalogues from OCP 4.11/4/12 should no longer be built using the OPM version < v1.21.0.

Also this PR doesn't seem to actually do anything different with CatalogSources that use spec.grpcPodConfig.securityContextConfig: legacy

This PR only changes the permissions; instead of enforcing the baseline, we are enforcing restricted.
We are just removing the tests that ensure exactly that, we are still supporting catalog source built with OPM version < v1.21.0 that requires baseline permissions and cannot run with restricted ( prior OCP PodSecurityContext enforcement and SCC changes )

Given that, if you think that an RFC would be required, here is fine. I am addressing this need in JIRA and asking for an RFC.

@camilamacedo86 camilamacedo86 mentioned this pull request May 20, 2025
Open
@joelanford
Copy link
Member

In general my perspective on OLMv0 is that we change nothing, except:

  • critical bug fixes
  • CVE fixes
  • Critical product improvements requested by downstream vendors
  • CI improvements that make it easier for us to verify and merge the above kinds of changes.

IMO, this change does not fall into that category. And I'm totally happy to discuss the merits of those change categories if folks disagree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joelanford joelanford joelanford requested changes

@anik120 anik120 anik120 left review comments

@akihikokuroda akihikokuroda Awaiting requested review from akihikokuroda

@dtfranz dtfranz Awaiting requested review from dtfranz

@perdasilva perdasilva Awaiting requested review from perdasilva

@kevinrizza kevinrizza Awaiting requested review from kevinrizza

@tmshort tmshort Awaiting requested review from tmshort

@grokspawn grokspawn Awaiting requested review from grokspawn

Requested changes must be addressed to merge this pull request.

Assignees

@anik120 anik120

@kevinrizza kevinrizza

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@camilamacedo86 @kevinrizza @anik120 @perdasilva @joelanford @openshift-merge-robot