-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm: add agent and operator hostPorts to PodSecurityPolicy #12175
Conversation
Commit 0482555d900560f6bcca5d57f625ead2bcd6c20b does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Please set the appropriate release note label. |
Please set the appropriate release note label. |
When config options that open hostPorts are enabled the PodeSecurityPolicy needs to reflect this or it will not be selected. Signed-off-by: Christian Frantsen <christian.frantsen@dom.se>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! I wonder if these hostPorts
are also required for the Cilium health checks on port 4240?
https://docs.cilium.io/en/v1.7/install/system_requirements/#firewall-rules
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#10681 is also editing the PSP but we can't merge it until #11140 is fixed.
I understand that this PR is actually fixing a potential issue with the PSP but we can't test it in our CI. @cfrantsen do you have a way to replicate the issue this PR is fixing?
@aanm It should be possible to reproduce by enabling the options that add hostPorts to the pod spec and then deploying to a cluster with PSP enabled. In addition to this there must not exist RBAC that allows the use of any other PSP except cilium-psp/cilium-operator-psp. |
@gandro I could not find any other place where hostPort was defined in the chart so I don't think the helath checks are affected by this. |
@cfrantsen I'm going to close this PR. PodSecurityPolicy will be removed from Kubernetes kubernetes/kubernetes#90603 |
When config options that open hostPorts are enabled the PodeSecurityPolicy needs to reflect this or it will not be selected.
Fixes #12324