Skip to content

[release-v1.42] EV-6557: grant tigera-noncluster-host SA create access to Linseed policyactivity#4726

Merged
rene-dekker merged 1 commit intotigera:release-v1.42from
xiumozhan:EV-6557-nch-policyactivity-rbac-release-v1.42
Apr 22, 2026
Merged

[release-v1.42] EV-6557: grant tigera-noncluster-host SA create access to Linseed policyactivity#4726
rene-dekker merged 1 commit intotigera:release-v1.42from
xiumozhan:EV-6557-nch-policyactivity-rbac-release-v1.42

Conversation

@xiumozhan
Copy link
Copy Markdown
Contributor

@xiumozhan xiumozhan commented Apr 20, 2026
edited
Loading

Cherry-pick of #4725 to release-v1.42.

Summary

  • Add policyactivity to the linseed.tigera.io create rule on the tigera-noncluster-host ClusterRole.
  • Update the matching test expectation.

Why

Non-cluster host (NCH) fluent-bit posts policy activity records to voltron at /ingestion/api/v1/policy_activity/logs/bulk. Voltron's proxy authorizes each request against the caller's k8s RBAC with resource policyactivity in group linseed.tigera.io. Without this permission, voltron returns 401 Unauthorized and NCH policy activity logs never reach Linseed.

Test plan

  • go test ./pkg/render/nonclusterhost/... passes.

Release Note

Grant the tigera-noncluster-host ClusterRole create access on linseed.tigera.io/policyactivity so non-cluster host policy activity logs reach Linseed.

@xiumozhan @claude
EV-6557: grant tigera-noncluster-host SA create access to Linseed pol…
73dfcf3 
…icyactivity

Non-cluster host fluent-bit ships policy activity logs to Linseed via
voltron's /ingestion/api/v1/policy_activity/logs/bulk route. Without
'create' on linseed.tigera.io/policyactivity, voltron returns 401
Unauthorized from the per-target RBAC authorizer and records never
reach Linseed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@xiumozhan xiumozhan requested a review from a team as a code owner April 20, 2026 20:00
@marvin-tigera marvin-tigera added this to the v1.42.0 milestone Apr 20, 2026
@rene-dekker rene-dekker merged commit 34c0b4b into tigera:release-v1.42 Apr 22, 2026
3 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rene-dekker rene-dekker rene-dekker approved these changes

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.42.0

Development

Successfully merging this pull request may close these issues.

3 participants

@xiumozhan @rene-dekker @marvin-tigera