Skip to content

Conversation

@sjberman
Copy link
Collaborator

@sjberman sjberman commented Apr 1, 2025

Problem: Now that we have additional pods in the new architecture, we need the proper SecurityContextConstraints for running in Openshift.

Solution: Create an SCC for the cert-generator and an SCC for nginx data plane pods on startup. A Role and RoleBinding are created when deploying nginx to link to the SCC.

Testing: Verified that all objects are created and running with the proper permissions in OpenShift.

Closes #3064

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.


Problem: Now that we have additional pods in the new architecture, we need the proper SecurityContextConstraints for running in Openshift.

Solution: Create an SCC for the cert-generator and an SCC for nginx data plane pods on startup. A Role and RoleBinding are created when deploying nginx to link to the SCC.
@sjberman sjberman requested a review from a team as a code owner April 1, 2025 19:37
@github-actions github-actions bot added documentation Improvements or additions to documentation chore Pull requests for routine tasks helm-chart Relates to helm chart labels Apr 1, 2025
@codecov
Copy link

codecov bot commented Apr 1, 2025

Codecov Report

Attention: Patch coverage is 63.53591% with 66 lines in your changes missing coverage. Please review.

Project coverage is 86.50%. Comparing base (6337c97) to head (e1276de).
Report is 185 commits behind head on change/control-data-plane-split.

Files with missing lines Patch % Lines
internal/mode/static/provisioner/eventloop.go 33.33% 30 Missing and 2 partials ⚠️
internal/mode/static/provisioner/setter.go 0.00% 15 Missing ⚠️
...nal/mode/static/provisioner/openshift/openshift.go 0.00% 14 Missing ⚠️
internal/mode/static/provisioner/provisioner.go 50.00% 2 Missing and 1 partial ⚠️
cmd/gateway/commands.go 91.66% 1 Missing ⚠️
internal/mode/static/manager.go 50.00% 1 Missing ⚠️
Additional details and impacted files
@@                         Coverage Diff                         @@
##           change/control-data-plane-split    #3278      +/-   ##
===================================================================
- Coverage                            89.74%   86.50%   -3.25%     
===================================================================
  Files                                  109      125      +16     
  Lines                                11150    14453    +3303     
  Branches                                50       62      +12     
===================================================================
+ Hits                                 10007    12502    +2495     
- Misses                                1083     1813     +730     
- Partials                                60      138      +78     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@sjberman sjberman merged commit e6cae12 into change/control-data-plane-split Apr 7, 2025
35 of 44 checks passed
@sjberman sjberman deleted the chore/openshift branch April 7, 2025 13:36
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Apr 7, 2025
sjberman added a commit that referenced this pull request Apr 23, 2025
Problem: Now that we have additional pods in the new architecture, we need the proper SecurityContextConstraints for running in Openshift.

Solution: Create an SCC for the cert-generator and an SCC for nginx data plane pods on startup. A Role and RoleBinding are created when deploying nginx to link to the SCC.
sjberman added a commit that referenced this pull request May 6, 2025
Problem: Now that we have additional pods in the new architecture, we need the proper SecurityContextConstraints for running in Openshift.

Solution: Create an SCC for the cert-generator and an SCC for nginx data plane pods on startup. A Role and RoleBinding are created when deploying nginx to link to the SCC.
sjberman added a commit that referenced this pull request May 14, 2025
Problem: Now that we have additional pods in the new architecture, we need the proper SecurityContextConstraints for running in Openshift.

Solution: Create an SCC for the cert-generator and an SCC for nginx data plane pods on startup. A Role and RoleBinding are created when deploying nginx to link to the SCC.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore Pull requests for routine tasks documentation Improvements or additions to documentation helm-chart Relates to helm chart

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

3 participants