helm: add agent and operator hostPorts to PodSecurityPolicy #12175
Conversation
|
Commit 0482555d900560f6bcca5d57f625ead2bcd6c20b does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
|
Please set the appropriate release note label. |
maintainer-s-little-helper
bot
added
the
dont-merge/needs-sign-off
|
Please set the appropriate release note label. |
When config options that open hostPorts are enabled the PodeSecurityPolicy needs to reflect this or it will not be selected. Signed-off-by: Christian Frantsen <christian.frantsen@dom.se>
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-sign-off
gandro
added
the
release-note/misc
gandro
added
area/helm
There was a problem hiding this comment.
Thanks for the PR! I wonder if these hostPorts are also required for the Cilium health checks on port 4240?
https://docs.cilium.io/en/v1.7/install/system_requirements/#firewall-rules
There was a problem hiding this comment.
#10681 is also editing the PSP but we can't merge it until #11140 is fixed.
I understand that this PR is actually fixing a potential issue with the PSP but we can't test it in our CI. @cfrantsen do you have a way to replicate the issue this PR is fixing?
|
@aanm It should be possible to reproduce by enabling the options that add hostPorts to the pod spec and then deploying to a cluster with PSP enabled. In addition to this there must not exist RBAC that allows the use of any other PSP except cilium-psp/cilium-operator-psp. |
|
@gandro I could not find any other place where hostPort was defined in the chart so I don't think the helath checks are affected by this. |
|
@cfrantsen I'm going to close this PR. PodSecurityPolicy will be removed from Kubernetes kubernetes/kubernetes#90603 |
When config options that open hostPorts are enabled the PodeSecurityPolicy needs to reflect this or it will not be selected.
Fixes #12324