Skip to content

chore: add heritage=deckhouse label for Pods in user ns #1880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
diafour wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore: add heritage=deckhouse label for Pods in user ns #1880

diafour wants to merge 3 commits into from

Conversation

@diafour
Copy link
Member

@diafour diafour commented Jan 15, 2026
edited
Loading

Description

Add heritage=deckhouse label to Pods that run in user namespaces:

  • dvcr-importer-*
  • dvcr-uploader-*
  • bounder-*

Also add label to kubevirt and cdi related Pods:

cdi #27

  • cdi-importer-*
  • cdi-uploader-*
  • cdi-clone-*
  • prep-* (cdi-populator-prep)
  • size-detection-*

kubevirt #63

  • virt-launcher-*
  • hp-volume-*

Why do we need it, and what problem does it solve?

Support security hardening for Deckhouse system components implemented by deckhouse/deckhouse#16749

What is the expected result?

Non-system service accounts can't delete Pods created in non-system namespaces by the virtualization module.

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: api
type: chore
summary: Add heritage=deckhouse label for Pods created in non-system namespaces

@diafour diafour added this to the v1.5.0 milestone Jan 15, 2026
@diafour diafour requested a review from fl64 as a code owner January 15, 2026 17:41
@diafour diafour added e2e/run Run e2e test on cluster of PR author e2e/user/hayer969 labels Jan 16, 2026
@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Jan 16, 2026
@diafour diafour added the e2e/run Run e2e test on cluster of PR author label Jan 16, 2026
@deckhouse-BOaTswain
Copy link
Contributor

deckhouse-BOaTswain commented Jan 16, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Jan 16, 2026
@diafour diafour added the e2e/run Run e2e test on cluster of PR author label Jan 16, 2026
@diafour diafour force-pushed the chore/api/add-heritage-deckhouse-label branch from 01ee7ba to 168c4ce Compare January 16, 2026 16:19
@diafour
chore: add heritage=deckhouse label for Pods in user ns
ec9746a 
Support security hardening for Deckhouse system components implemented by deckhouse/deckhouse#16749

Add heritage=deckhouse label to Pods that run in user namespaces:

- dvcr-importer-*
- dvcr-uploader-*
- bounder-*

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour
++ use 3p-kubevirt, 3p-cdi with added label
65a1781 
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour
++ linting
e012c26 
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour diafour force-pushed the chore/api/add-heritage-deckhouse-label branch from 168c4ce to e012c26 Compare January 16, 2026 16:24
@diafour diafour added e2e/run Run e2e test on cluster of PR author and removed e2e/run Run e2e test on cluster of PR author labels Jan 16, 2026
@deckhouse-BOaTswain
Copy link
Contributor

deckhouse-BOaTswain commented Jan 16, 2026
edited
Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/run Run e2e test on cluster of PR author label Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

@yaroslavborbat yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

@fl64 fl64 Awaiting requested review from fl64 fl64 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@diafour diafour

Labels

e2e/user/hayer969

Projects

None yet

Milestone

v1.5.0

Development

Successfully merging this pull request may close these issues.

3 participants

@diafour @deckhouse-BOaTswain