Skip to content

EV-6557: grant tigera-noncluster-host SA create access to Linseed policyactivity#4725

Merged
rene-dekker merged 1 commit intotigera:masterfrom
xiumozhan:EV-6557-nch-policyactivity-rbac
Apr 22, 2026
Merged

EV-6557: grant tigera-noncluster-host SA create access to Linseed policyactivity#4725
rene-dekker merged 1 commit intotigera:masterfrom
xiumozhan:EV-6557-nch-policyactivity-rbac

Conversation

@xiumozhan
Copy link
Copy Markdown
Contributor

@xiumozhan xiumozhan commented Apr 20, 2026
edited
Loading

Summary

  • Add policyactivity to the linseed.tigera.io create rule on the tigera-noncluster-host ClusterRole.
  • Update the matching test expectation.

Why

Non-cluster host (NCH) fluent-bit posts policy activity records to voltron at /ingestion/api/v1/policy_activity/logs/bulk. Voltron's proxy authorizes each request against the caller's k8s RBAC with resource policyactivity in group linseed.tigera.io (see voltron main.go NCH route AuthorizationAttributesFunc). Without this permission, voltron returns 401 Unauthorized and NCH policy activity logs never reach Linseed.

The in-cluster fluentd-node SA already has this permission (pkg/render/fluentd.go:1012). This patch brings the NCH SA to parity for the NCH ingestion path.

This is the NCH counterpart of #4712, which granted the calico-manager SA get on the same resource for the query-side path.

Test plan

  • go test ./pkg/render/nonclusterhost/... passes.
  • Manually verified on a standalone cluster with non-cluster hosts that NCH fluent-bit POSTs to voltron's policy_activity ingestion path succeed end-to-end and calicoctl get sgnps --show-policy-activities returns fresh timestamps for HEP-tier SGNPs.

Release Note

Grant the tigera-noncluster-host ClusterRole create access on linseed.tigera.io/policyactivity so non-cluster host policy activity logs reach Linseed.

@xiumozhan xiumozhan requested a review from a team as a code owner April 20, 2026 19:58
@marvin-tigera marvin-tigera added this to the v1.43.0 milestone Apr 20, 2026
@xiumozhan xiumozhan mentioned this pull request Apr 20, 2026
Merged
1 task
@xiumozhan xiumozhan force-pushed the EV-6557-nch-policyactivity-rbac branch from c1d8544 to b1aa229 Compare April 21, 2026 21:48
@xiumozhan @claude
EV-6557: grant tigera-noncluster-host SA create access to Linseed pol…
ad5897e 
…icyactivity

Non-cluster host fluent-bit ships policy activity logs to Linseed via
voltron's /ingestion/api/v1/policy_activity/logs/bulk route. Without
'create' on linseed.tigera.io/policyactivity, voltron returns 401
Unauthorized from the per-target RBAC authorizer and records never
reach Linseed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@xiumozhan xiumozhan force-pushed the EV-6557-nch-policyactivity-rbac branch from b1aa229 to ad5897e Compare April 22, 2026 18:41
@rene-dekker rene-dekker merged commit 1245524 into tigera:master Apr 22, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rene-dekker rene-dekker rene-dekker approved these changes

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.43.0

Development

Successfully merging this pull request may close these issues.

3 participants

@xiumozhan @rene-dekker @marvin-tigera