fix: Clean up MetalLB pod security standards labels #807
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
faiq
approved these changes
Jul 16, 2024
This commit removes the `pod-security.kubernetes.io/audit` and `pod-security.kubernetes.io/warn` labels as they are redundant when specifying the `pod-security.kubernetes.io/enforce` label to the same level. Also add the `pod-security.kubernetes.io/enforce-version` label to always enforce the latest pod security polify version, even on upgrade. This is fine because we are specifying the omst privileged pod security standard, `privileged`, and as such should be safe to always enfore the latest policy version.
jimmidyson
force-pushed
the
jimmi/service-lb-pod-security
branch
from
771f281 to
a604c90
Compare
|
Thanks. Really wish these could be managed together with the Chart. |
dlipovetsky
approved these changes
Jul 16, 2024
Merged
jimmidyson
added a commit
that referenced
this pull request
Jul 18, 2024
🤖 I have created a release *beep* *boop* --- ## 0.13.0 (2024-07-18) <!-- Release notes generated using configuration in .github/release.yaml at main --> ## What's Changed ### Exciting New Features 🎉 * feat: Secure ciphers, min TLS v1.2, and disable auto TLS for etcd by @jimmidyson in #808 * feat: Bump default k8s version for tests to v1.29.6 by @jimmidyson in #784 ### Fixes 🔧 * fix: add omitempty to addon strategy by @dkoshkin in #795 * fix: update CCM to 0.3.4 to fix sweet32 issue by @tuxtof in #805 * fix: Clean up MetalLB pod security standards labels by @jimmidyson in #807 * fix: Fix ownership of ClusterAutoscaler resources by @jimmidyson in #810 ### Other Changes * ci: Run e2e jobs only if unit-test, lint-*, and pre-commit jobs pass by @dlipovetsky in #796 * ci: Enable verbose output for e2e tests by @dlipovetsky in #797 * test: Verify ServiceLoadBalancer in e2e Docker and Nutanix tests by @dlipovetsky in #788 * refactor: Use CAPI conditions check where possible by @dlipovetsky in #789 * test(e2e): Use parallel tests for providers other than Docker by @jimmidyson in #787 ## New Contributors * @tuxtof made their first contribution in #805 **Full Changelog**: v0.12.1...v0.13.0 --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit removes the
pod-security.kubernetes.io/auditandpod-security.kubernetes.io/warnlabels as they are redundant whenspecifying the
pod-security.kubernetes.io/enforcelabel to the samelevel.
Also add the
pod-security.kubernetes.io/enforce-versionlabel toalways enforce the latest pod security policy version, even on upgrade.
This is fine because we are specifying the most privileged pod security
standard,
privileged, and as such should be safe to always enforce thelatest policy version.