Skip to content

fix: add podSecurityLabelSync=true to openshift-gitops#1105

Open
nmirasch wants to merge 3 commits intoredhat-developer:masterfrom
nmirasch:GITOPS-9158_add_podSecurityLabelSync
Open

fix: add podSecurityLabelSync=true to openshift-gitops#1105
nmirasch wants to merge 3 commits intoredhat-developer:masterfrom
nmirasch:GITOPS-9158_add_podSecurityLabelSync

Conversation

@nmirasch
Copy link
Contributor

@nmirasch nmirasch commented Mar 23, 2026

What type of PR is this?
/kind bug

What does this PR do / why we need it:
This PR delegate Pod Security Standards (PSS) labeling for OpenShift GitOps namespaces to the cluster.
The operator sets security.openshift.io/scc.podSecurityLabelSync=true on openshift-* namespaces and no longer applies hardcoded pod-security.kubernetes.io/* values itself.

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/GITOPS-9158

Test acceptance criteria:

  • Unit Test
  • E2E Test

@openshift-ci openshift-ci bot requested review from Naveena-058 and jgwest March 23, 2026 18:53
@openshift-ci
Copy link

openshift-ci bot commented Mar 23, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign anandf for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Mar 23, 2026

Hi @nmirasch. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@svghadi
Copy link
Member

svghadi commented Mar 24, 2026

/ok-to-test

svghadi
svghadi requested changes Mar 26, 2026
View reviewed changes
Copy link
Member

@svghadi svghadi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @nmirasch . The change looks good to me. I have left some suggestions in the test. Can you take a look?

controllers/gitopsservice_controller_test.go Outdated
Comment on lines 654 to 659
"pod-security.kubernetes.io/enforce": "privileged",
"pod-security.kubernetes.io/enforce-version": "v1.30",
"pod-security.kubernetes.io/audit": "privileged",
"pod-security.kubernetes.io/audit-version": "v1.29",
"pod-security.kubernetes.io/warn": "privileged",
"pod-security.kubernetes.io/warn-version": "v1.29",
Copy link
Member

@svghadi svghadi Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets clean up the unit tests. We can not verify the label addition here so lets just focus on checking security.openshift.io/scc.podSecurityLabelSync label and remove others.

test/openshift/e2e/ginkgo/sequential/1-110_validate_podsecurity_alerts_test.go Outdated

By("OpenShift populates at least one pod-security.kubernetes.io/* label")
pssLabelKeys := []string{
"pod-security.kubernetes.io/audit",
Copy link
Member

@svghadi svghadi Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let’s check for the restricted value in the audit labels. The version value can vary depending on the cluster, so it makes sense to skip validating it.
Verifying the restricted value should help us identify any behavioral changes in OCP in future.

@nmirasch nmirasch force-pushed the GITOPS-9158_add_podSecurityLabelSync branch from fcce172 to 7aaca66 Compare March 27, 2026 08:24
@nmirasch
Copy link
Contributor Author

nmirasch commented Mar 27, 2026

@svghadi rebased!

nmirasch added 3 commits March 27, 2026 10:14
@nmirasch
fix: add podSecurityLabelSync=true to openshift-gitops
6e93255 
Signed-off-by: nmirasch <neus.miras@gmail.com>
@nmirasch
e2e check at least one PSS label is set by Openshift
686bfac 
Signed-off-by: nmirasch <neus.miras@gmail.com>
@nmirasch
assert podSecurityLabelSync and audit=restricted for openshift-gitops ns
4451f4c 
Signed-off-by: nmirasch <neus.miras@gmail.com>
@nmirasch nmirasch force-pushed the GITOPS-9158_add_podSecurityLabelSync branch from 7aaca66 to 4451f4c Compare March 27, 2026 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svghadi svghadi svghadi requested changes

@jgwest jgwest Awaiting requested review from jgwest

@Naveena-058 Naveena-058 Awaiting requested review from Naveena-058

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nmirasch @svghadi