From be84d80d793f98659262940ad3bbe3dc2b3eda07 Mon Sep 17 00:00:00 2001
From: Anik Bhattacharjee <anikbhattacharya93@gmail.com>
Date: Thu, 18 Aug 2022 11:56:44 -0400
Subject: [PATCH] (psa) restrict olm namespace + remove labels from
 openshift-operators ns

This PR:

1. Adds the enforce:restricted Pod Security Admission labels to the
openshift-operator-lifecycle-manager namespace

2. Adds the enforce:privileged  PSA labels to the openshift-operator
namespace, that will be removed in a future commit, when another entity
is present to modify the namespace to set the security of the namespace
according to the workloads present in the namespace.
---
 manifests/0000_50_olm_00-namespace.yaml | 4 +++-
 scripts/generate_crds_manifests.sh      | 3 ++-
 values.yaml                             | 5 ++++-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/manifests/0000_50_olm_00-namespace.yaml b/manifests/0000_50_olm_00-namespace.yaml
index 8fffa527e0..168e886714 100644
--- a/manifests/0000_50_olm_00-namespace.yaml
+++ b/manifests/0000_50_olm_00-namespace.yaml
@@ -3,6 +3,8 @@ kind: Namespace
 metadata:
   name: openshift-operator-lifecycle-manager
   labels:
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: "v1.24"
     openshift.io/scc: "anyuid"
     openshift.io/cluster-monitoring: "true"
   annotations:
@@ -16,7 +18,7 @@ kind: Namespace
 metadata:
   name: openshift-operators
   labels:
-    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce: privileged
     pod-security.kubernetes.io/enforce-version: "v1.24"
     openshift.io/scc: "anyuid"
   annotations:
diff --git a/scripts/generate_crds_manifests.sh b/scripts/generate_crds_manifests.sh
index 5c20d1faf8..fadd85a16c 100755
--- a/scripts/generate_crds_manifests.sh
+++ b/scripts/generate_crds_manifests.sh
@@ -402,4 +402,5 @@ add_ibm_managed_cloud_annotations "${ROOT_DIR}/manifests"
 find "${ROOT_DIR}/manifests" -type f -exec $SED -i "/^#/d" {} \;
 find "${ROOT_DIR}/manifests" -type f -exec $SED -i "1{/---/d}" {} \;
 
-${YQ} delete --inplace -d'0' manifests/0000_50_olm_00-namespace.yaml 'metadata.labels."pod-security.kubernetes.io/enforce*"'
\ No newline at end of file
+# (anik120): uncomment this once https://issues.redhat.com/browse/OLM-2695 is Done. 
+#${YQ} delete --inplace -d'1' manifests/0000_50_olm_00-namespace.yaml 'metadata.labels."pod-security.kubernetes.io/enforce*"'
\ No newline at end of file
diff --git a/values.yaml b/values.yaml
index 671d83dc12..cd736d13be 100644
--- a/values.yaml
+++ b/values.yaml
@@ -1,10 +1,13 @@
 installType: ocp
 rbacApiVersion: rbac.authorization.k8s.io
 namespace: openshift-operator-lifecycle-manager
+namespace_psa: 
+  enforceLevel: restricted
+  enforceVersion: '"v1.24"'
 catalog_namespace: openshift-marketplace
 operator_namespace: openshift-operators
 operator_namespace_psa: 
-  enforceLevel: baseline
+  enforceLevel: privileged
   enforceVersion: '"v1.24"'
 imagestream: true
 writeStatusName: operator-lifecycle-manager