Enforce PSA for restricted instead of baseline

camilamacedo86 · camilamacedo86 · commit fc3aaa53c1ee · 2025-05-16T09:57:49.000+01:00
For the last two years, we've defaulted to baseline enforcement. At this point, I expect everyone to use catalog binaries that can handle restricted enforcement
diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml
@@ -2,7 +2,7 @@ rbacApiVersion: rbac.authorization.k8s.io
 namespace: operator-lifecycle-manager
 # see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
 namespace_psa: 
-  enforceLevel: baseline
+  enforceLevel: restricted
   enforceVersion: latest
   auditLevel: restricted
   auditVersion: latest
@@ -12,7 +12,7 @@ catalog_namespace: operator-lifecycle-manager
 operator_namespace: operators
 # see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
 operator_namespace_psa: 
-  enforceLevel: baseline
+  enforceLevel: restricted
   enforceVersion: latest
 minKubeVersion: 1.11.0
 writeStatusName: '""'
diff --git a/deploy/upstream/values.yaml b/deploy/upstream/values.yaml
@@ -9,7 +9,7 @@ catalog_namespace: olm
 operator_namespace: operators
 # see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
 operator_namespace_psa: 
-  enforceLevel: baseline
+  enforceLevel: restricted
   enforceVersion: latest
 imagestream: false
 writeStatusName: '""'
diff --git a/test/e2e/catalog_e2e_test.go b/test/e2e/catalog_e2e_test.go
@@ -1672,7 +1672,7 @@ var _ = Describe("Starting CatalogSource e2e tests", Label("CatalogSource"), fun
 			})
 		})
 	})
-	When("The namespace is labled as Pod Security Admission policy enforce:baseline", func() {
+	When("The namespace is labled as Pod Security Admission policy enforce:restricted", func() {
 		BeforeEach(func() {
 			var err error
 			testNS := &corev1.Namespace{}
@@ -1685,7 +1685,7 @@ var _ = Describe("Starting CatalogSource e2e tests", Label("CatalogSource"), fun
 			}).Should(BeNil())
 
 			testNS.ObjectMeta.Labels = map[string]string{
-				"pod-security.kubernetes.io/enforce":         "baseline",
+				"pod-security.kubernetes.io/enforce":         "restricted",
 				"pod-security.kubernetes.io/enforce-version": "latest",
 			}
 
