New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
4.13: Add management cluster KAS network policy #2786
4.13: Add management cluster KAS network policy #2786
Conversation
/hold |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enxebre The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
409f98f
to
da1f769
Compare
As part of hardening CP workloads, this introduces a network policy that: Selects pods excluding the ones having NeedManagementKASAccessLabel and specific operands. It denies egress traffic to the management cluster clusterNetwork and to the KAS endpoints.
/test e2e-aws |
/hold |
needs #2796 |
/test e2e-aws |
1 similar comment
/test e2e-aws |
/lgtm |
This is a follow up for openshift#2796 With out this existing HCs upgrading to this version of the HO fail to reconcile CAPI as they attempt to change the labelSelector.
/hold cancel |
/lgtm |
/test e2e-aws |
/hold Revision ca6f1e4 was retested 3 times: holding |
/test e2e-aws |
/hold cancel |
@enxebre: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
962bd11
into
openshift:release-4.13
What this PR does / why we need it:
Cherry-picks #2796
Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)
format, where issue_number might be a GitHub issue, or a Jira story:Fixes #
Checklist