Skip to content

chore(module): add more exceptions for privileged containers#2061

Draft
diafour wants to merge 8 commits into
mainfrom
chore/module/more-security-policy-exceptions-for-privileged-containers
Draft

chore(module): add more exceptions for privileged containers#2061
diafour wants to merge 8 commits into
mainfrom
chore/module/more-security-policy-exceptions-for-privileged-containers

Conversation

@diafour
Copy link
Copy Markdown
Member

@diafour diafour commented Mar 4, 2026

Description

  • vm-route-forge: add more options into securityContext to match admission policies
  • virtualization-dra: add more rules into SecurityPolicyException
  • virt-handler: add more rules into SecurityPolicyException

Why do we need it, and what problem does it solve?

Something goes wrong when ModuleConfig/admission-policy-engine has no settings: a lot of errors appear reporting about missing/not set/undefined fields. This commit should fix these additional complains.

What is the expected result?

Privileged containers started in cluster without ModuleConfig/admission-policy-engine

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

@diafour diafour added this to the v1.8.0 milestone Mar 4, 2026
@diafour diafour requested a review from Isteb4k as a code owner March 4, 2026 18:18
@diafour diafour marked this pull request as draft March 16, 2026 09:34
@nevermarine nevermarine modified the milestones: v1.8.0, v1.9.0 Apr 23, 2026
diafour added 5 commits June 4, 2026 10:58
@diafour
chore(module): add more exceptions for privileged containers
2bc91c3 
Something goes wrong when ModuleConfig/admission-policy-engine has no settings: a lot of errors appear reporting about missing/not set/undefined fields. This commit should fix these additional complains.

- vm-route-forge: add more options into securityContext to match admission policies
- virtualization-dra: add more rules into SecurityPolicyException
- virt-handler: add more rules into SecurityPolicyException

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour
++ update helm lib to 1.71.1
bceca18 
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour
++ fix yaml
4b8074b 
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour
++ fix helm-bump-helm-lib task
04d93dc 
- Add explicit values in securityContext sections in virt-handler containers.
- Update lib-helm to 1.72.0

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour
++
96d887d 
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour diafour force-pushed the chore/module/more-security-policy-exceptions-for-privileged-containers branch from 9293374 to 96d887d Compare June 4, 2026 09:01
diafour added 3 commits June 4, 2026 17:54
@diafour
++
b2385be 
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour
++ split SecurityPolicyException for virt-handler in 2: one for main …
7ec87ce 
…virt-handler container, one for node-labeller init container.

++ add capabilities and hostPorts for vm-route-forge

Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
@diafour
++ fix description field
7bafc9c 
Signed-off-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@diafour diafour

Labels

None yet

Projects

None yet

Milestone

v1.9.0

Development

Successfully merging this pull request may close these issues.

2 participants

@diafour @nevermarine