remove default value of catsrc.spec.grpcPodConfig.securityContextConf…

…ig (#342) Signed-off-by: Joe Lanford <joe.lanford@gmail.com>
operator-framework · Jun 13, 2024 · 5d2d3fb · 5d2d3fb
1 parent e684a59
commit 5d2d3fb
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 18 deletions.
diff --git a/crds/operators.coreos.com_catalogsources.yaml b/crds/operators.coreos.com_catalogsources.yaml
@@ -1023,19 +1023,15 @@ spec:
                         SecurityContextConfig can be one of `legacy` or `restricted`. The CatalogSource's pod is either injected with the
                         right pod.spec.securityContext and pod.spec.container[*].securityContext values to allow the pod to run in Pod
                         Security Admission (PSA) `restricted` mode, or doesn't set these values at all, in which case the pod can only be
-                        run in PSA `baseline` or `privileged` namespaces. Currently if the SecurityContextConfig is unspecified, the default
-                        value of `legacy` is used. Specifying a value other than `legacy` or `restricted` result in a validation error.
-                        When using older catalog images, which could not be run in `restricted` mode, the SecurityContextConfig should be
-                        set to `legacy`.
-
-
-                        In a future version will the default will be set to `restricted`, catalog maintainers should rebuild their catalogs
-                        with a version of opm that supports running catalogSource pods in `restricted` mode to prepare for these changes.
+                        run in PSA `baseline` or `privileged` namespaces. If the SecurityContextConfig is unspecified, the mode will be
+                        determined by the namespace's PSA configuration. If the namespace is enforcing `restricted` mode, then the pod
+                        will be configured as if `restricted` was specified. Otherwise, it will be configured as if `legacy` was
+                        specified. Specifying a value other than `legacy` or `restricted` result in a validation error. When using older
+                        catalog images, which can not run in `restricted` mode, the SecurityContextConfig should be set to `legacy`.
 
 
                         More information about PSA can be found here: https://kubernetes.io/docs/concepts/security/pod-security-admission/'
                       type: string
-                      default: legacy
                       enum:
                         - legacy
                         - restricted