Allow operator to set PSA in Rancher #840
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change description
In Rancher, it is not enough to have
patch
permissions for a namespace in order to set PSA labels.It is also required to have the
updatepsa
permission on theprojects
resource, as outlinedhere.
This rule allows the Trident operator to set the PSA label
pod-security.kubernetes.io/enforce: privileged
on its installation namespace in Rancher.Project tracking
I have no insight to your internal Jira.
Do any added TODOs have an issue in the backlog?
No added TODOs.
Did you add unit tests? Why not?
No. I see no unit tests for your Helm chart today, and I cannot be the one to introduce it for you. I can only build on what you already have.
Does this code need functional testing?
I don't know, it depends on your testing practices and current pipelines. It would be great if you had a pipeline that tries to install the operator in Rancher to see that it works, but I understand if you cannot prioritize a specific Kubernetes management system like that.
Is a code review walkthrough needed? why or why not?
No, it should be fairly straight-forward to read the diff without a walk-through. But I'm happy to help if needed.
Should additional test coverage be executed in addition to pre-merge?
I don't think so.
Does this code need a note in the changelog?
It is not required, but might be nice with a note mentioning that this fixes bug #839
Does this code require documentation changes?
No.
Additional Information
Closes #839