From ec9746a448a14886bf87009cdd2e5e281bb4ec1e Mon Sep 17 00:00:00 2001 From: Ivan Mikheykin Date: Thu, 15 Jan 2026 19:49:41 +0300 Subject: [PATCH 1/3] chore: add heritage=deckhouse label for Pods in user ns Support security hardening for Deckhouse system components implemented by https://github.com/deckhouse/deckhouse/pull/16749 Add heritage=deckhouse label to Pods that run in user namespaces: - dvcr-importer-* - dvcr-uploader-* - bounder-* Signed-off-by: Ivan Mikheykin --- .../pkg/common/annotations/annotations.go | 5 +++++ .../pkg/controller/bounder/bounder.go | 3 +++ .../pkg/controller/importer/importer_pod.go | 1 + .../pkg/controller/uploader/uploader_pod.go | 1 + 4 files changed, 10 insertions(+) diff --git a/images/virtualization-artifact/pkg/common/annotations/annotations.go b/images/virtualization-artifact/pkg/common/annotations/annotations.go index 64af0ead86..03ae60b5c7 100644 --- a/images/virtualization-artifact/pkg/common/annotations/annotations.go +++ b/images/virtualization-artifact/pkg/common/annotations/annotations.go @@ -176,6 +176,11 @@ const ( // QuotaExcludeLabel provides a constant for exclude quota label. QuotaExcludeLabel = "resource-quota-overrides.deckhouse.io/ignore" + // HeritageLabel is the label to indicate Pod heritage. + HeritageLabel = "heritage" + // DeckhouseLabelValue is the value to indicate Pod is related to the deckhouse. + DeckhouseLabelValue = "deckhouse" + // InhibitNodeShutdownLabel is a label to prevent node shutdown is Pod with label is present. InhibitNodeShutdownLabel = "pod.deckhouse.io/inhibit-node-shutdown" diff --git a/images/virtualization-artifact/pkg/controller/bounder/bounder.go b/images/virtualization-artifact/pkg/controller/bounder/bounder.go index 4dffbcf623..bfe7270a8e 100644 --- a/images/virtualization-artifact/pkg/controller/bounder/bounder.go +++ b/images/virtualization-artifact/pkg/controller/bounder/bounder.go @@ -86,6 +86,9 @@ func (imp *Bounder) makeBounderPodSpec() (*corev1.Pod, error) { Annotations: map[string]string{ annotations.AnnCreatedBy: "yes", }, + Labels: map[string]string{ + annotations.HeritageLabel: annotations.DeckhouseLabelValue, + }, Finalizers: []string{ imp.PodSettings.Finalizer, }, diff --git a/images/virtualization-artifact/pkg/controller/importer/importer_pod.go b/images/virtualization-artifact/pkg/controller/importer/importer_pod.go index 2ba1faec67..578b737295 100644 --- a/images/virtualization-artifact/pkg/controller/importer/importer_pod.go +++ b/images/virtualization-artifact/pkg/controller/importer/importer_pod.go @@ -122,6 +122,7 @@ func (imp *Importer) makeImporterPodSpec() (*corev1.Pod, error) { Name: imp.PodSettings.Name, Namespace: imp.PodSettings.Namespace, Labels: map[string]string{ + annotations.HeritageLabel: annotations.DeckhouseLabelValue, annotations.AppLabel: annotations.DVCRLabelValue, annotations.QuotaExcludeLabel: annotations.QuotaExcludeValue, }, diff --git a/images/virtualization-artifact/pkg/controller/uploader/uploader_pod.go b/images/virtualization-artifact/pkg/controller/uploader/uploader_pod.go index a6a9a96d7b..1d50a8e52f 100644 --- a/images/virtualization-artifact/pkg/controller/uploader/uploader_pod.go +++ b/images/virtualization-artifact/pkg/controller/uploader/uploader_pod.go @@ -95,6 +95,7 @@ func (p *Pod) makeSpec() (*corev1.Pod, error) { annotations.AnnCreatedBy: "yes", }, Labels: map[string]string{ + annotations.HeritageLabel: annotations.DeckhouseLabelValue, annotations.AppLabel: annotations.DVCRLabelValue, annotations.UploaderServiceLabel: p.PodSettings.ServiceName, annotations.QuotaExcludeLabel: annotations.QuotaExcludeValue, From 65a1781e672be64bb333af09246a29af97daf452 Mon Sep 17 00:00:00 2001 From: Ivan Mikheykin Date: Thu, 15 Jan 2026 20:41:12 +0300 Subject: [PATCH 2/3] ++ use 3p-kubevirt, 3p-cdi with added label Signed-off-by: Ivan Mikheykin --- build/components/versions.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/build/components/versions.yml b/build/components/versions.yml index cf2bde402c..6a20983d78 100644 --- a/build/components/versions.yml +++ b/build/components/versions.yml @@ -3,8 +3,10 @@ firmware: libvirt: v10.9.0 edk2: stable202411 core: - 3p-kubevirt: v1.6.2-v12n.5 - 3p-containerized-data-importer: v1.60.3-v12n.14 + #3p-kubevirt: v1.6.2-v12n.5 + #3p-containerized-data-importer: v1.60.3-v12n.14 + 3p-kubevirt: dvp/chore/add-heritage-label + 3p-containerized-data-importer: dvp/chore/add-heritage-label distribution: 2.8.3 package: acl: v2.3.1 From e012c26f705b4eccf020268e08bccdfc9bcf1e3d Mon Sep 17 00:00:00 2001 From: Ivan Mikheykin Date: Thu, 15 Jan 2026 20:52:38 +0300 Subject: [PATCH 3/3] ++ linting Signed-off-by: Ivan Mikheykin --- .../pkg/controller/importer/importer_pod.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/images/virtualization-artifact/pkg/controller/importer/importer_pod.go b/images/virtualization-artifact/pkg/controller/importer/importer_pod.go index 578b737295..859ae7ce82 100644 --- a/images/virtualization-artifact/pkg/controller/importer/importer_pod.go +++ b/images/virtualization-artifact/pkg/controller/importer/importer_pod.go @@ -122,7 +122,7 @@ func (imp *Importer) makeImporterPodSpec() (*corev1.Pod, error) { Name: imp.PodSettings.Name, Namespace: imp.PodSettings.Namespace, Labels: map[string]string{ - annotations.HeritageLabel: annotations.DeckhouseLabelValue, + annotations.HeritageLabel: annotations.DeckhouseLabelValue, annotations.AppLabel: annotations.DVCRLabelValue, annotations.QuotaExcludeLabel: annotations.QuotaExcludeValue, },