From f65060b2604774b75e9b7884dddf5aeb19ce8f72 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Thu, 18 Jun 2026 18:33:05 +0200 Subject: [PATCH] Apply Pod Security Admission labels on namespace We label the namespace with all three Pod Security Admission labels (`audit`, `warn`, `enforce`) set to `privileged` This ensures that the CCM pods (which use `hostNetwork=true` to avoid bootstrap issues) can be scheduled. --- component/main.jsonnet | 5 +++++ docs/modules/ROOT/pages/references/parameters.adoc | 8 ++++++++ .../cloudscale-cloud-controller-manager/00_namespace.yaml | 3 +++ .../cloudscale-cloud-controller-manager/00_namespace.yaml | 3 +++ 4 files changed, 19 insertions(+) diff --git a/component/main.jsonnet b/component/main.jsonnet index da4c0c0..2bdf658 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -119,6 +119,11 @@ local objKey(prefix, obj) = // non-OCP. 'openshift.io/node-selector': '', }, + labels+: { + 'pod-security.kubernetes.io/audit': 'privileged', + 'pod-security.kubernetes.io/enforce': 'privileged', + 'pod-security.kubernetes.io/warn': 'privileged', + }, }, }, '01_secret': tokenSecret, diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 8084078..131648a 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -10,6 +10,14 @@ default:: `syn-cloudscale-cloud-controller-manager` The namespace in which to deploy this component. +[TIP] +==== +The component labels the namespace with the Kubernetes Pod Security Admission labels set to `privileged`. +This ensures that the CCM pods (which use `hostNetwork=true` to avoid issues during cluster bootstrap) are admitted. +==== + +NOTE: The component won't emit a manifest for the namespace if this parameter is set to `kube-system`. + == `manifests_version` [horizontal] diff --git a/tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml b/tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml index 9b2aa07..77320a2 100644 --- a/tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml +++ b/tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml @@ -5,4 +5,7 @@ metadata: openshift.io/node-selector: '' labels: name: syn-cloudscale-cloud-controller-manager + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged name: syn-cloudscale-cloud-controller-manager diff --git a/tests/golden/openshift4/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml b/tests/golden/openshift4/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml index 9b2aa07..77320a2 100644 --- a/tests/golden/openshift4/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml +++ b/tests/golden/openshift4/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/00_namespace.yaml @@ -5,4 +5,7 @@ metadata: openshift.io/node-selector: '' labels: name: syn-cloudscale-cloud-controller-manager + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged name: syn-cloudscale-cloud-controller-manager