search

banzaicloud / istio-operator

An operator that manages Istio deployments on Kubernetes
Apache License 2.0
535 stars 94 forks source link

Openshift support 4.11+ [release-1.16] #887

Closed nishantapatil3 closed 1 year ago

nishantapatil3 commented 1 year ago
Q A
Bug fix? no
New feature? yes
API breaks? no
Deprecations? no
Related tickets fixes deployment in RHOS-4.11
License Apache 2.0

What's in this PR?

Update podSecurityContext and securityContext to support deployment in Redhat Openshift 4.11(k8s 1.24+)

Why?

This PR fixes requirements for restricted mode deployment of pod on RHOS-4.11+ by updating the minimum required openshift policy settings for istio-operator

Additional context

Openshift requires additional policy settings for istio-operator to operate. This change addresses the requirement to deploy istio-operator on both K8s and RHOS clusters

Checklist

Tests

  1. RHOS - 4.11

    ❯ kubectl config current-context
default/api-nispatil-1-24-gxb4-p1-openshiftapps-com:6443/cluster-admin
❯ k get node
NAME                                         STATUS   ROLES          AGE   VERSION
ip-10-0-129-184.us-west-2.compute.internal   Ready    master         14d   v1.24.6+5658434
ip-10-0-158-245.us-west-2.compute.internal   Ready    worker         14d   v1.24.6+5658434
ip-10-0-184-188.us-west-2.compute.internal   Ready    infra,worker   14d   v1.24.6+5658434
ip-10-0-205-51.us-west-2.compute.internal    Ready    master         14d   v1.24.6+5658434
ip-10-0-221-177.us-west-2.compute.internal   Ready    infra,worker   14d   v1.24.6+5658434
ip-10-0-222-163.us-west-2.compute.internal   Ready    worker         14d   v1.24.6+5658434
ip-10-0-242-8.us-west-2.compute.internal     Ready    master         14d   v1.24.6+5658434
❯
❯ k get pods -n smm-system -o wide
NAME                             READY   STATUS    RESTARTS   AGE   IP             NODE                                         NOMINATED NODE   READINESS GATES
istio-operator-84f4d78d8-66n4l   2/2     Running   0          44s   10.128.9.203   ip-10-0-158-245.us-west-2.compute.internal   <none>           <none>
❯

  2. k8s 1.24

    ❯ kubectl config current-context
nispatil-eks2
❯ k get node
NAME                                           STATUS   ROLES    AGE     VERSION
ip-192-168-65-148.us-west-2.compute.internal   Ready    <none>   15d     v1.24.7-eks-fb459a0
ip-192-168-71-118.us-west-2.compute.internal   Ready    <none>   16d     v1.24.7-eks-fb459a0
ip-192-168-78-148.us-west-2.compute.internal   Ready    <none>   6d10h   v1.24.7-eks-fb459a0
❯ k get pods -n smm-system -o wide
NAME                              READY   STATUS    RESTARTS   AGE   IP               NODE                                           NOMINATED NODE   READINESS GATES
istio-operator-5c8744556b-75gzm   2/2     Running   0          99m   192.168.75.142   ip-192-168-65-148.us-west-2.compute.internal   <none>           <none>
❯
CLAassistant commented 1 year ago

CLA assistant check
All committers have signed the CLA.

nishantapatil3 commented 1 year ago

@tiswanso

nishantapatil3 commented 1 year ago

Ready to review @LuciferInLove @shanchunyang0919 @tiswanso @Laci21

nishantapatil3 commented 1 year ago

Thanks for the review @LuciferInLove @shanchunyang0919