chore: add heritage=deckhouse label for Pods in user ns #1880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

diafour merged 7 commits into main from chore/api/add-heritage-deckhouse-label

Jan 21, 2026

+12 −2

Member

diafour commented Jan 15, 2026 •

edited

Loading

Description

Add heritage=deckhouse label to Pods that run in user namespaces:

dvcr-importer-*
dvcr-uploader-*
bounder-*

Also add label to kubevirt and cdi related Pods:

cdi-importer-*
cdi-uploader-*
cdi-clone-*
prep-* (cdi-populator-prep)
size-detection-*

virt-launcher-*
hp-volume-*

Why do we need it, and what problem does it solve?

Support security hardening for Deckhouse system components implemented by deckhouse/deckhouse#16749

What is the expected result?

Non-system service accounts can't delete Pods created in non-system namespaces by the virtualization module.

Checklist

The code is covered by unit tests.
e2e tests passed.
Documentation updated according to the changes.
Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: api
type: chore
summary: Add heritage=deckhouse label for Pods created in non-system namespaces

diafour added this to the v1.5.0 milestone

diafour requested review from Isteb4k and yaroslavborbat as code owners

January 15, 2026 17:11

github-actions bot assigned diafour

diafour requested a review from fl64 as a code owner

January 15, 2026 17:41

diafour added e2e/run e2e/user/hayer969 labels

deckhouse-BOaTswain removed the e2e/run label

diafour added the e2e/run label

Contributor

deckhouse-BOaTswain commented Jan 16, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

diafour added the e2e/run label

diafour force-pushed the chore/api/add-heritage-deckhouse-label branch 2 times, most recently from 168c4ce to e012c26 Compare

January 16, 2026 16:24

diafour added e2e/run and removed e2e/run labels

Contributor

deckhouse-BOaTswain commented Jan 16, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

diafour added e2e/run and removed e2e/user/hayer969 labels

Contributor

deckhouse-BOaTswain commented Jan 19, 2026

Workflow has started.
Follow the progress here: Workflow Run

deckhouse-BOaTswain removed the e2e/run label

diafour force-pushed the chore/api/add-heritage-deckhouse-label branch from e012c26 to 44e4967 Compare

January 19, 2026 14:19

diafour added e2e/run e2e/user/hayer969 labels

deckhouse-BOaTswain removed the e2e/run label

diafour force-pushed the chore/api/add-heritage-deckhouse-label branch from 44e4967 to a4f3663 Compare

January 19, 2026 14:35

diafour added the e2e/run label

Contributor

deckhouse-BOaTswain commented Jan 19, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

diafour added the e2e/run label

Contributor

deckhouse-BOaTswain commented Jan 19, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

diafour added the e2e/run label

Contributor

deckhouse-BOaTswain commented Jan 19, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

diafour added 6 commits

January 21, 2026 16:40


          chore: add heritage=deckhouse label for Pods in user ns

388bb6c

Support security hardening for Deckhouse system components implemented by deckhouse/deckhouse#16749

Add heritage=deckhouse label to Pods that run in user namespaces:

- dvcr-importer-*
- dvcr-uploader-*
- bounder-*

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>


          ++ use 3p-kubevirt, 3p-cdi with added label

dd7bba8

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>


          ++ linting

9570a8b

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>


          ++ ignore hdd-based storage classes

534cb63

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>


          ++ increase e2e tests timeout

fc857e9

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>


          ++ use tags for 3p repositories

065d517

++ revert dev-cluster e2e tests specifics

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>

diafour force-pushed the chore/api/add-heritage-deckhouse-label branch from 0e56dac to 065d517 Compare

January 21, 2026 13:41


          ++ rename const

ef24905

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>

LopatinDmitr approved these changes

View reviewed changes

diafour merged commit 64f9376 into main

31 of 33 checks passed

diafour deleted the chore/api/add-heritage-deckhouse-label branch

January 21, 2026 16:29

deckhouse-BOaTswain mentioned this pull request

Changelog v1.5.0 #1860

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

LopatinDmitr LopatinDmitr approved these changes

Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

fl64 Awaiting requested review from fl64 fl64 is a code owner

Labels

e2e/user/hayer969