Relax pod admission controls when using a local catalog index

See https://docs.openshift.com/container-platform/4.13/operators/admin/olm-managing-custom-catalogs.html#olm-catalog-sources-and-psa_olm-managing-custom-catalogs
infrawatch · Sep 8, 2023 · b44a54e · b44a54e
1 parent cd216c0
commit b44a54e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/build/stf-run-ci/tasks/create_catalog.yml b/build/stf-run-ci/tasks/create_catalog.yml
@@ -140,6 +140,8 @@
         image: "{{ stf_index_image_path }}"
         publisher: CloudOps
         sourceType: grpc
+        grpcPodConfig:
+          securityContextConfig: legacy
         updateStrategy:
           registryPoll:
             interval: 1m
diff --git a/build/stf-run-ci/tasks/main.yml b/build/stf-run-ci/tasks/main.yml
@@ -107,6 +107,20 @@
     tags:
       - deploy
 
+- when: __deploy_from_index_enabled | bool or __deploy_from_bundles_enabled | bool
+  name: Relax the pod security admission controls to allow local catalog index registry pods
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ namespace }}"
+        labels:
+          security.openshift.io/scc.podSecurityLabelSync: "false"
+          pod-security.kubernetes.io/enforce: baseline
+          pod-security.kubernetes.io/audit: restricted
+          pod-security.kubernetes.io/warn: restricted
+
 - when: __deploy_from_index_enabled | bool
   tags:
     - create_bundles