Fix enforcing the restricted mode

MaciejKaras · MaciejKaras · commit 697917ee5e34 · 2025-09-24T15:57:09.000+02:00
diff --git a/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_sharded_cluster.py b/docker/mongodb-kubernetes-tests/tests/opsmanager/om_ops_manager_backup_sharded_cluster.py
@@ -43,24 +43,27 @@ def s3_bucket(aws_s3_client: AwsS3Client, namespace: str) -> str:
     yield from create_s3_bucket(aws_s3_client, "test-bucket-sharded-")
 
 
+@fixture(scope="module")
+def enforced_pss_namespace(namespace: str) -> str:
+    # Change pod-security mode from warn to enforce. This will make test fail if operator and deployments don't support enforce mode
+    # This will not work in multi-cluster, because Istio injects sidecar and that breaks restricted level
+    if not is_multi_cluster():
+        label_namespace(namespace, {"pod-security.kubernetes.io/enforce": "restricted"})
+
+    return namespace
+
+
 @fixture(scope="module")
 def ops_manager(
-    namespace: str,
+    enforced_pss_namespace: str,
     s3_bucket: str,
     custom_version: Optional[str],
     custom_appdb_version: str,
 ) -> MongoDBOpsManager:
     resource: MongoDBOpsManager = MongoDBOpsManager.from_yaml(
-        yaml_fixture("om_ops_manager_backup.yaml"), namespace=namespace
+        yaml_fixture("om_ops_manager_backup.yaml"), namespace=enforced_pss_namespace
     )
 
-    # Change pod-security mode from warn to enforce. This will make test fail if operator and deployments don't support enforce mode
-    # This will not work in multi-cluster, because Istio injects sidecar and that breaks restricted level
-    if not is_multi_cluster():
-        label_namespace(
-            namespace, {"pod-security.kubernetes.io/enforce": None, "pod-security.kubernetes.io/warn": "restricted"}
-        )
-
     try_load(resource)
     return resource
 
