psaconfig: invert the enforce/log logic to default to logging

Author: stlaz

pkg/cmd/render/render.go

@@ -304,12 +304,12 @@ func bootstrapDefaultConfig(featureSet configv1.FeatureSet) ([]byte, error) {
 	}
 
 	// modify config for TechPreviewNoUpgrade here.
-	if sets.NewString(configv1.FeatureSets[featureSet].Disabled...).Has("OpenShiftPodSecurityAdmission") {
-		if err := auth.SetPodSecurityAdmissionToEnforcePrivileged(defaultConfig); err != nil {
+	if sets.NewString(configv1.FeatureSets[featureSet].Enabled...).Has("OpenShiftPodSecurityAdmission") {
+		if err := auth.SetPodSecurityAdmissionToEnforceRestricted(defaultConfig); err != nil {
 			return nil, err
 		}
 	} else {
-		if err := auth.SetPodSecurityAdmissionToEnforceRestricted(defaultConfig); err != nil {
+		if err := auth.SetPodSecurityAdmissionToEnforcePrivileged(defaultConfig); err != nil {
 			return nil, err
 		}
 	}

pkg/operator/configobservation/auth/podsecurityadmission.go

@@ -97,19 +97,19 @@ func observePodSecurityAdmissionEnforcement(featureGate *configv1.FeatureGate, r
 
 	errs := []error{}
 
-	_, disabled, err := featuregates.FeaturesGatesFromFeatureSets(featureGate)
+	enabled, _, err := featuregates.FeaturesGatesFromFeatureSets(featureGate)
 	if err != nil {
 		return existingConfig, append(errs, err)
 	}
 
 	observedConfig := map[string]interface{}{}
 	switch {
-	case sets.NewString(disabled...).Has("OpenShiftPodSecurityAdmission"):
-		if err := SetPodSecurityAdmissionToEnforcePrivileged(observedConfig); err != nil {
+	case sets.NewString(enabled...).Has("OpenShiftPodSecurityAdmission"):
+		if err := SetPodSecurityAdmissionToEnforceRestricted(observedConfig); err != nil {
 			return existingConfig, append(errs, err)
 		}
 	default:
-		if err := SetPodSecurityAdmissionToEnforceRestricted(observedConfig); err != nil {
+		if err := SetPodSecurityAdmissionToEnforcePrivileged(observedConfig); err != nil {
 			return existingConfig, append(errs, err)
 		}
 	}

pkg/operator/configobservation/auth/podsecurityadmission_test.go

@@ -48,8 +48,8 @@ func TestObservePodSecurityAdmissionEnforcement(t *testing.T) {
 			FeatureGateSelection: configv1.FeatureGateSelection{
 				FeatureSet: "CustomNoUpgrade",
 				CustomNoUpgrade: &configv1.CustomFeatureGates{
-					Enabled:  nil,
-					Disabled: []string{"OpenShiftPodSecurityAdmission"},
+					Enabled:  []string{"OpenShiftPodSecurityAdmission"},
+					Disabled: nil,
 				},
 			},
 		},
@@ -63,11 +63,11 @@ func TestObservePodSecurityAdmissionEnforcement(t *testing.T) {
 		expectedJSON string
 	}{
 		{
-			name:         "enforce",
+			name:         "not enabled",
 			existingJSON: string(privilegedJSON),
 			featureGate:  defaultFeatureSet,
 			expectedErr:  "",
-			expectedJSON: string(restrictedJSON),
+			expectedJSON: string(privilegedJSON),
 		},
 		{
 			name:         "corrupt-1",
@@ -84,11 +84,11 @@ func TestObservePodSecurityAdmissionEnforcement(t *testing.T) {
 			expectedJSON: string(restrictedJSON),
 		},
 		{
-			name:         "disabled",
+			name:         "enabled",
 			existingJSON: string(restrictedJSON),
 			featureGate:  disabledFeatureSet,
 			expectedErr:  "",
-			expectedJSON: string(privilegedJSON),
+			expectedJSON: string(restrictedJSON),
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {