New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kas policy 4.12 #2826
Kas policy 4.12 #2826
Conversation
Signed-off-by: Enrique Llorente <ellorent@redhat.com>
As part of hardening CP workloads, this introduces a network policy that: Selects pods excluding the ones having NeedManagementKASAccessLabel and specific operands. It denies egress traffic to the management cluster clusterNetwork and to the KAS endpoints.
This is a follow up for openshift#2796 With out this existing HCs upgrading to this version of the HO fail to reconcile CAPI as they attempt to change the labelSelector.
/hold |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enxebre The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test e2e-aws |
2 similar comments
/test e2e-aws |
/test e2e-aws |
/hold cancel |
/lgtm |
@enxebre: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
255e1b6
into
openshift:release-4.12
What this PR does / why we need it:
cherry-picks
#2786
And to keep the conflicts reasonably clean
#2181
#2439
It also includes pod_exec originally introduced in this PR as part of a conflict resolution
Which issue(s) this PR fixes (optional, use
fixes #<issue_number>(, fixes #<issue_number>, ...)
format, where issue_number might be a GitHub issue, or a Jira story:Fixes #
Checklist