Merge pull request #3111 from muraee/fix-psa-labels

OCPBUGS-20526: Align PSA labels on guest cluster namespaces with standalone OCP
openshift · Oct 24, 2023 · 34d364c · 34d364c
2 parents e258482 + 0ff1457
commit 34d364c
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/control-plane-operator/controllers/hostedcontrolplane/clusterpolicy/config.go b/control-plane-operator/controllers/hostedcontrolplane/clusterpolicy/config.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"fmt"
 	"path"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -67,5 +68,24 @@ func reconcileConfig(cfg *openshiftcpv1.OpenShiftControllerManagerConfig, minTLS
 			CipherSuites:  cipherSuites,
 		},
 	}
+
+	// disables automatically setting the `pod-security.kubernetes.io/enforce` label on namespaces by the pod-security-admission-label-synchronization-controller
+	// see https://github.com/openshift/cluster-policy-controller/blob/50c2a8337f08856bbae4cd419bb8ffcbdf92567c/pkg/cmd/controller/psalabelsyncer.go#L19
+	index := -1
+	for i := range cfg.FeatureGates {
+		fg := cfg.FeatureGates[i]
+		if strings.HasPrefix(fg, "OpenShiftPodSecurityAdmission") {
+			index = i
+			break
+		}
+	}
+
+	if index != -1 {
+		// overwrite
+		cfg.FeatureGates[index] = "OpenShiftPodSecurityAdmission=false"
+	} else {
+		cfg.FeatureGates = append(cfg.FeatureGates, "OpenShiftPodSecurityAdmission=false")
+	}
+
 	return nil
 }