Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-v1.32] Attach OpenShift SCC to Calico components #3375

Merged
merged 3 commits into from
Jun 6, 2024
Merged

[release-v1.32] Attach OpenShift SCC to Calico components #3375

merged 3 commits into from
Jun 6, 2024

Conversation

hjiawei
Copy link
Contributor

@hjiawei hjiawei commented Jun 4, 2024

Description

This changeset attaches OpenShift SCC to Calico OSS and Enterprise components. The pre-defined nonroot-v2 SCC is used for most of the components to limit access to cluster resources. Core components use pre-defined privileged SCC. Certain components like EgressGateway will use custom defined SCCs.

Pick #3373 into release-v1.32 branch.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@hjiawei
Attach OpenShift SCC to Calico components
34402d0 
This changeset attaches OpenShift SCC to Calico OSS and Enterprise
components. The pre-defined `nonroot-v2` SCC is used for most of the
components to limit access to cluster resources. Core components use
pre-defined `privileged` SCC. Certain components like EgressGateway will
use custom defined SCCs.
@hjiawei
Render SCC resources when needed
158e9e3
@hjiawei
Attach OpenShift nonroot-v2 SCC to Prometheus components
0544c10 
This change attaches nonroot-v2 SCC to Tigera prometheus operator,
prometheus, and prometheus service cluster roles. It is missed in [1].

[1] tigera#3357
@hjiawei hjiawei requested a review from a team as a code owner June 4, 2024 19:23
@marvin-tigera marvin-tigera added this to the v1.32.9 milestone Jun 4, 2024
rene-dekker
rene-dekker approved these changes Jun 4, 2024
View reviewed changes
Copy link
Member

@rene-dekker rene-dekker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@rene-dekker rene-dekker merged commit 4e3aa8c into tigera:release-v1.32 Jun 6, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rene-dekker rene-dekker rene-dekker approved these changes

Assignees
No one assigned
Labels
docs-pr-required release-note-required
Projects
None yet
Milestone
v1.32.9
Development

Successfully merging this pull request may close these issues.
3 participants
@hjiawei @rene-dekker @marvin-tigera