Merge branch 'master' into update-1.25

crds/operators.coreos.com_catalogsources.yaml

@@ -79,9 +79,13 @@ spec:
                     priorityClassName:
                       description: If specified, indicates the pod's priority. If not specified, the pod priority will be default or zero if there is no default.
                       type: string
-                    runAsRoot:
-                      description: RunAsRoot allows admins to indicate that they wish to run the container inside the CatalogSource pod in a privileged mode as root.  This should only be enabled when running older catalog images which could not be run as non-root.
-                      type: boolean
+                    securityContextConfig:
+                      description: 'SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource''s pod is either injected with the right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod Security Admission(PSA) controller''s `restricted` mode, or doesn''t set these values at all, in which case the pod can only be run in PSA `baseline` or `privileged` namespaces. By default, SecurityContextConfig is set to `restricted`. If the value is unspecified, the default value of `restricted` is used.  Specifying any other value will result in a validation error. When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be set to `legacy`. More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'''
+                      type: string
+                      default: restricted
+                      enum:
+                        - legacy
+                        - restricted
                     tolerations:
                       description: Tolerations are the catalog source's pod's tolerations.
                       type: array

pkg/operators/v1alpha1/catalogsource_types.go

@@ -96,6 +96,13 @@ type CatalogSourceSpec struct {
 	Icon        Icon   `json:"icon,omitempty"`
 }
 
+type SecurityConfig string
+
+const (
+	Legacy     SecurityConfig = "legacy"
+	Restricted SecurityConfig = "restricted"
+)
+
 // GrpcPodConfig contains configuration specified for a catalog source
 type GrpcPodConfig struct {
 	// NodeSelector is a selector which must be true for the pod to fit on a node.
@@ -113,10 +120,18 @@ type GrpcPodConfig struct {
 	// +optional
 	PriorityClassName *string `json:"priorityClassName,omitempty"`
 
-	// RunAsRoot allows admins to indicate that they wish to run the container inside the CatalogSource pod in a privileged
-	// mode as root.  This should only be enabled when running older catalog images which could not be run as non-root.
+	// SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with
+	// the right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in
+	// Pod Security Admission(PSA) controller's `restricted` mode, or doesn't set these values at all, in which case the pod
+	// can only be run in PSA `baseline` or `privileged` namespaces. By default, SecurityContextConfig is set to `restricted`.
+	// If the value is unspecified, the default value of `restricted` is used.  Specifying any other value will result in a
+	// validation error. When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig
+	// should be set to `legacy`.
+	// More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
 	// +optional
-	RunAsRoot bool `json:"runAsRoot,omitempty"`
+	// +kubebuilder:validation:Enum=legacy;restricted
+	// +kubebuilder:default:=restricted
+	SecurityContextConfig SecurityConfig `json:"securityContextConfig,omitempty"`
 }
 
 // UpdateStrategy holds all the different types of catalog source update strategies