Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
b
best-microphone-20624
01/27/2023, 12:15 PMGreetings, is it expected that the psa exemption namespaces listed in the following link should support all CNIs or just the default canal CNI? https://github.com/rancher/rke2/blob/0ab4614b13daa5a49e484249a49012918d46ed22/pkg/rke2/psa.go#L58
c
creamy-pencil-82913
01/27/2023, 5:20 PMIt should work for all the CNIs that come with rke2. Only the one of them requires an additional namespace, the others just use kube-system.
b
best-microphone-20624
01/28/2023, 5:45 AMI was under the impression that the Calico tigera-operator installed privileged Calico workloads into both the
calico-systemcalico-apiserverHi @creamy-pencil-82913 For example, the
calico-nodecalico-systemsecurityContext.privileged: trueAccording to the helm chart link below, the rke2 calico chart disables the calico apiServer by default. Since it is possible to override the default, would it make sense to consider adding namespace
calico-apiserverc
creamy-pencil-82913
02/01/2023, 8:50 PMas far as I know we’ve not seen that to be necessary
I believe that’s because the Tigera operator itself handles adding the correct pod-security labels to the namespace. That’s the preferred way to manage that, as opposed to hardcoding the namespaces in the PSA config
brandond@dev01:~$ kubectl get namespace calico-system -o yaml
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2023-02-01T20:49:06Z"
labels:
<http://kubernetes.io/metadata.name|kubernetes.io/metadata.name>: calico-system
name: calico-system
<http://pod-security.kubernetes.io/enforce|pod-security.kubernetes.io/enforce>: privileged
<http://pod-security.kubernetes.io/enforce-version|pod-security.kubernetes.io/enforce-version>: latest
name: calico-system
ownerReferences:
- apiVersion: <http://operator.tigera.io/v1|operator.tigera.io/v1>
blockOwnerDeletion: true
controller: true
kind: Installation
name: default
uid: 37ca9fde-175a-4d75-83f4-1cb9bb0af38e
resourceVersion: "835"
uid: 1a56a63b-d54e-436c-a5d1-d52cf8b155c3
spec:
finalizers:
- kubernetes
status:
phase: Activeso yeah, not necessary
the operator should do the same for the apiserver namespace, if it creates it
b
best-microphone-20624
02/01/2023, 8:59 PMAny idea when this behavior was added to the Tigera operator? Do you know if this behavior applies to all 1.23+ RKE2 versions, regardless whether cis-mode is enabled or not?
c
creamy-pencil-82913
02/01/2023, 9:03 PMno, I don’t know when the tigera operator added that behavior. I’d defer to the Tigera folks on that.
I suspect that newer releases just add the labels unconditionally, since there’s no harm in having them even if PSA isn’t enabled.