chore: add heritage=deckhouse label for Pods in user ns #1880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

diafour wants to merge 5 commits into main from chore/api/add-heritage-deckhouse-label

Member

diafour commented Jan 15, 2026 •

edited

Loading

Description

Add heritage=deckhouse label to Pods that run in user namespaces:

dvcr-importer-*
dvcr-uploader-*
bounder-*

Also add label to kubevirt and cdi related Pods:

cdi-importer-*
cdi-uploader-*
cdi-clone-*
prep-* (cdi-populator-prep)
size-detection-*

virt-launcher-*
hp-volume-*

Why do we need it, and what problem does it solve?

Support security hardening for Deckhouse system components implemented by deckhouse/deckhouse#16749

What is the expected result?

Non-system service accounts can't delete Pods created in non-system namespaces by the virtualization module.

Checklist

The code is covered by unit tests.
e2e tests passed.
Documentation updated according to the changes.
Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: api
type: chore
summary: Add heritage=deckhouse label for Pods created in non-system namespaces

diafour added this to the v1.5.0 milestone

diafour requested review from Isteb4k and yaroslavborbat as code owners

January 15, 2026 17:11

github-actions bot assigned diafour

diafour requested a review from fl64 as a code owner

January 15, 2026 17:41

diafour added e2e/run e2e/user/hayer969 labels

deckhouse-BOaTswain removed the e2e/run label

diafour added the e2e/run label

Contributor

deckhouse-BOaTswain commented Jan 16, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

diafour added the e2e/run label

diafour force-pushed the chore/api/add-heritage-deckhouse-label branch 2 times, most recently from 168c4ce to e012c26 Compare

January 16, 2026 16:24

diafour added e2e/run and removed e2e/run labels

Contributor

deckhouse-BOaTswain commented Jan 16, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

diafour added e2e/run and removed e2e/user/hayer969 labels

Contributor

deckhouse-BOaTswain commented Jan 19, 2026

Workflow has started.
Follow the progress here: Workflow Run

deckhouse-BOaTswain removed the e2e/run label

diafour force-pushed the chore/api/add-heritage-deckhouse-label branch from e012c26 to 44e4967 Compare

January 19, 2026 14:19

diafour added e2e/run e2e/user/hayer969 labels

deckhouse-BOaTswain removed the e2e/run label

diafour added 4 commits

January 19, 2026 17:35


          chore: add heritage=deckhouse label for Pods in user ns

d38be17

Support security hardening for Deckhouse system components implemented by deckhouse/deckhouse#16749

Add heritage=deckhouse label to Pods that run in user namespaces:

- dvcr-importer-*
- dvcr-uploader-*
- bounder-*

Signed-off-by: Ivan Mikheykin <[email protected]>


          ++ use 3p-kubevirt, 3p-cdi with added label

3ace6e6

Signed-off-by: Ivan Mikheykin <[email protected]>


          ++ linting

e496f98

Signed-off-by: Ivan Mikheykin <[email protected]>


          ++ ignore hdd-based storage classes

a4f3663

Signed-off-by: Ivan Mikheykin <[email protected]>

diafour force-pushed the chore/api/add-heritage-deckhouse-label branch from 44e4967 to a4f3663 Compare

January 19, 2026 14:35

diafour added the e2e/run label

Contributor

deckhouse-BOaTswain commented Jan 19, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

diafour added the e2e/run label

Contributor

deckhouse-BOaTswain commented Jan 19, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label


          ++ increase e2e tests timeout

0e56dac

Signed-off-by: Ivan Mikheykin <[email protected]>

diafour added the e2e/run label

Contributor

deckhouse-BOaTswain commented Jan 19, 2026 •

edited

Loading

Workflow has started.
Follow the progress here: Workflow Run

The target step completed with status: failure.

deckhouse-BOaTswain removed the e2e/run label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

yaroslavborbat Awaiting requested review from yaroslavborbat yaroslavborbat is a code owner

fl64 Awaiting requested review from fl64 fl64 is a code owner

At least 1 approving review is required to merge this pull request.

Labels

e2e/user/hayer969