Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PolicyRecommendation needs to access resource within a tenant namespace #3052

Merged
merged 7 commits into from
Dec 13, 2023
Merged

PolicyRecommendation needs to access resource within a tenant namespace #3052

merged 7 commits into from
Dec 13, 2023

Conversation

asincu
Copy link
Contributor

@asincu asincu commented Dec 9, 2023
edited
Loading

Description

Enable access per tenant for PolicyRecommendation:

  • Access per tenant Linseed (use the tenant namespace service and modify networkpolicy to access resources in the tenant namespace)
  • Access per tenant Manager (use the tenant namespace service and modify networkpolicy to access resources in the tenant namespace)
  • Bind RBAC using the tenant service account
  • Add impersonation rights for multi-tenant
  • Allow to get managed cluster in from tigera-policy-recommendation in a multi-tenant environment

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@asincu asincu requested a review from a team as a code owner December 9, 2023 01:29
@marvin-tigera marvin-tigera added this to the v1.33.0 milestone Dec 9, 2023
caseydavenport
caseydavenport requested changes Dec 11, 2023
View reviewed changes
@asincu asincu merged commit d54d499 into tigera:master Dec 13, 2023
3 checks passed
@asincu asincu deleted the policyrec_multi_tenant branch December 13, 2023 19:39
asincu added a commit to asincu/operator that referenced this pull request Dec 14, 2023
@asincu
PolicyRecommendation needs to access resource within a tenant namespa…
8f3cb3d 
…ce (tigera#3052)

* PolicyRecommendation needs to access resource within a tenant namespace

* [CODE REVIEW] Update bindnamespaces

* Add impersonation rbac

* Allow to get managed clusters using the impersonated service account

* Relax linseed ingress network policy for network policy

* Test updates

* [CODE REVIEW] Update bind namespace
@asincu asincu mentioned this pull request Dec 14, 2023
Merged
5 tasks
asincu added a commit to asincu/operator that referenced this pull request Jan 10, 2024
@asincu
PolicyRecommendation needs to access resource within a tenant namespa…
c0b8ded 
…ce (tigera#3052)

* PolicyRecommendation needs to access resource within a tenant namespace

* [CODE REVIEW] Update bindnamespaces

* Add impersonation rbac

* Allow to get managed clusters using the impersonated service account

* Relax linseed ingress network policy for network policy

* Test updates

* [CODE REVIEW] Update bind namespace
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@caseydavenport caseydavenport caseydavenport approved these changes

Assignees
No one assigned
Labels
docs-pr-required release-note-required
Projects
None yet
Milestone
v1.33.0
Development

Successfully merging this pull request may close these issues.
3 participants
@asincu @caseydavenport @marvin-tigera