Skip to content

chore(module): add SecurityPolicyExceptions for Pods#2026

Open
diafour wants to merge 2 commits intomainfrom
chore/module/add-security-policy-exceptions
Open

chore(module): add SecurityPolicyExceptions for Pods#2026
diafour wants to merge 2 commits intomainfrom
chore/module/add-security-policy-exceptions

Conversation

@diafour
Copy link
Member

@diafour diafour commented Feb 25, 2026
edited
Loading

Description

Add exceptions for all Pods that require more permissions than provided by the PSS "Restricted":

  • ds/virt-handler
  • ds/virtualization-dra
  • ds/vm-route-forge

Why do we need it, and what problem does it solve?

Deckhouse now supports per-pod exceptions for security policies using SecurityPolicyException resources.

What is the expected result?

  • Module works correctly with enabled security checks for d8-virtualization namespace.
  • gatekeeper-audit has no complaints in logs about Pods in d8-virtualization namespace.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: module
type: chore
summary: Add SecurityPolicyExceptions for module Pods with extended permissions (ds/virt-handler, ds/virtualization-dra, ds/vm-route-forge).

@diafour diafour added this to the v1.7.0 milestone Feb 25, 2026
@diafour diafour requested a review from Isteb4k as a code owner February 25, 2026 13:40
@diafour diafour marked this pull request as draft February 26, 2026 07:54
@diafour diafour added the build/github/ubuntu Run jobs on github runners label Feb 26, 2026
@diafour diafour force-pushed the chore/module/add-security-policy-exceptions branch from 2db9908 to b15932f Compare February 26, 2026 17:21
@diafour diafour added the validation/skip/doc_changes Skip doc changes validation label Feb 26, 2026
@diafour
chore(module): add SecurityPolicyException resources
31ee00c 
- Add exceptions for all Pods that require more permissions than provided by the PSS Restricted:
  - ds/virt-handler
  - ds/virtualization-dra
  - ds/vm-route-forge
- Add a dev note about SecurityPolicyExceptions.

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour diafour force-pushed the chore/module/add-security-policy-exceptions branch from b15932f to 31ee00c Compare February 26, 2026 17:40
@diafour diafour marked this pull request as ready for review February 26, 2026 17:40
@prismagod
docs: review
f9e9d18 
Signed-off-by: Vladislav Panfilov <vladislav.panfilov@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prismagod prismagod prismagod approved these changes

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@fl64 fl64 Awaiting requested review from fl64 fl64 is a code owner

@goganat goganat Awaiting requested review from goganat goganat is a code owner

Assignees

@diafour diafour

Labels

build/github/ubuntu Run jobs on github runners validation/skip/doc_changes Skip doc changes validation

Projects

None yet

Milestone

v1.7.0

Development

Successfully merging this pull request may close these issues.

2 participants

@diafour @prismagod