OCPNODE-3225,OCPNODE-2557: features: set user namespace features on by default

features.md

@@ -48,14 +48,11 @@
 | OVNObservability| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | PinnedImages| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | PlatformOperators| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| ProcMountType| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | RouteAdvertisements| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | SignatureStores| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | SigstoreImageVerification| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | TranslateStreamCloseWebsocketRequests| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | UpgradeStatus| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| UserNamespacesPodSecurityStandards| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
-| UserNamespacesSupport| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VSphereHostVMGroupZonal| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VSphereMultiDisk| | | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
@@ -94,9 +91,12 @@
 | OpenShiftPodSecurityAdmission| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | PersistentIPsForVirtualization| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | PrivateHostedZoneAWS| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| ProcMountType| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | RouteExternalCertificate| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ServiceAccountTokenNodeBinding| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | SetEIPForNLBIngressController| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| UserNamespacesPodSecurityStandards| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
+| UserNamespacesSupport| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VSphereDriverConfiguration| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | VSphereMultiVCenters| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |
 | ValidatingAdmissionPolicy| <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span> | <span style="background-color: #519450">Enabled</span>  |

features/features.go

@@ -687,23 +687,26 @@ var (
 						contactPerson("haircommander").
 						productScope(kubernetes).
 						enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
-						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+						enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default).
 						mustRegister()
 
+	// Note: this feature is perma-alpha, but it is safe and desireable to enable.
+	// It was an oversight in upstream to not remove the feature gate after the version skew became safe in 1.33.
+	// See https://github.com/kubernetes/enhancements/tree/d4226c42/keps/sig-node/127-user-namespaces#pod-security-standards-pss-integration
 	FeatureGateUserNamespacesPodSecurityStandards = newFeatureGate("UserNamespacesPodSecurityStandards").
 							reportProblemsToJiraComponent("Node").
 							contactPerson("haircommander").
 							productScope(kubernetes).
 							enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
-							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+							enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default).
 							mustRegister()
 
 	FeatureGateProcMountType = newFeatureGate("ProcMountType").
 					reportProblemsToJiraComponent("Node").
 					contactPerson("haircommander").
 					productScope(kubernetes).
 					enhancementPR("https://github.com/kubernetes/enhancements/issues/4265").
-					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+					enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default).
 					mustRegister()
 
 	FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks").

payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml → payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml

@@ -7,7 +7,6 @@ metadata:
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     release.openshift.io/bootstrap-required: "true"
-    release.openshift.io/feature-set: CustomNoUpgrade
   name: securitycontextconstraints.security.openshift.io
 spec:
   group: security.openshift.io

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml

@@ -145,9 +145,6 @@
                     {
                         "name": "PlatformOperators"
                     },
-                    {
-                        "name": "ProcMountType"
-                    },
                     {
                         "name": "RouteAdvertisements"
                     },
@@ -175,12 +172,6 @@
                     {
                         "name": "UpgradeStatus"
                     },
-                    {
-                        "name": "UserNamespacesPodSecurityStandards"
-                    },
-                    {
-                        "name": "UserNamespacesSupport"
-                    },
                     {
                         "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
                     },
@@ -297,6 +288,9 @@
                     {
                         "name": "PrivateHostedZoneAWS"
                     },
+                    {
+                        "name": "ProcMountType"
+                    },
                     {
                         "name": "RouteExternalCertificate"
                     },
@@ -306,6 +300,12 @@
                     {
                         "name": "SetEIPForNLBIngressController"
                     },
+                    {
+                        "name": "UserNamespacesPodSecurityStandards"
+                    },
+                    {
+                        "name": "UserNamespacesSupport"
+                    },
                     {
                         "name": "VSphereDriverConfiguration"
                     },

payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml

@@ -145,9 +145,6 @@
                     {
                         "name": "PlatformOperators"
                     },
-                    {
-                        "name": "ProcMountType"
-                    },
                     {
                         "name": "RouteAdvertisements"
                     },
@@ -175,12 +172,6 @@
                     {
                         "name": "UpgradeStatus"
                     },
-                    {
-                        "name": "UserNamespacesPodSecurityStandards"
-                    },
-                    {
-                        "name": "UserNamespacesSupport"
-                    },
                     {
                         "name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
                     },
@@ -297,6 +288,9 @@
                     {
                         "name": "PrivateHostedZoneAWS"
                     },
+                    {
+                        "name": "ProcMountType"
+                    },
                     {
                         "name": "RouteExternalCertificate"
                     },
@@ -306,6 +300,12 @@
                     {
                         "name": "SetEIPForNLBIngressController"
                     },
+                    {
+                        "name": "UserNamespacesPodSecurityStandards"
+                    },
+                    {
+                        "name": "UserNamespacesSupport"
+                    },
                     {
                         "name": "VSphereDriverConfiguration"
                     },

security/v1/tests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml

@@ -1,11 +1,9 @@
 apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
 name: "SecurityContextConstraints"
 crdName: securitycontextconstraints.security.openshift.io
-featureGates:
-- -UserNamespacesPodSecurityStandards
 tests:
   onCreate:
-    - name: Should be able to create a minimal SecurityContextConstraints
+    - name: Should be able to create a minimal SecurityContextConstraints with featuregate enabled
       initial: |
         apiVersion: security.openshift.io/v1
         kind: SecurityContextConstraints
@@ -35,4 +33,73 @@ tests:
         priority: 0
         readOnlyRootFilesystem: false
         requiredDropCapabilities: []
+        userNamespaceLevel: "AllowHostLevel"
+        volumes: []
+
+    - name: Should be able to set userNamespaceLevel to AllowHostLevel
+      initial: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        userNamespaceLevel: "AllowHostLevel"
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        volumes: []
+      expected: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        userNamespaceLevel: "AllowHostLevel"
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        volumes: []
+
+    - name: Should be able to set userNamespaceLevel to RequirePodLevel
+      initial: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        userNamespaceLevel: "RequirePodLevel"
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
+        volumes: []
+      expected: |
+        apiVersion: security.openshift.io/v1
+        kind: SecurityContextConstraints
+        userNamespaceLevel: "RequirePodLevel"
+        allowHostDirVolumePlugin: false
+        allowHostIPC: false
+        allowHostNetwork: false
+        allowHostPID: false
+        allowHostPorts: false
+        allowPrivilegedContainer: false
+        allowedCapabilities: []
+        defaultAddCapabilities: []
+        priority: 0
+        readOnlyRootFilesystem: false
+        requiredDropCapabilities: []
         volumes: []

security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml → security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml

@@ -7,7 +7,6 @@ metadata:
     include.release.openshift.io/ibm-cloud-managed: "true"
     include.release.openshift.io/self-managed-high-availability: "true"
     release.openshift.io/bootstrap-required: "true"
-    release.openshift.io/feature-set: CustomNoUpgrade
   name: securitycontextconstraints.security.openshift.io
 spec:
   group: security.openshift.io