Skip to content

Fix ingress reconciliation when OwnerReferencesPermissionEnforcement is active#43949

Merged
giorio94 merged 2 commits intomainfrom
pr/giorio94/main/clustermesh-kind-blockowners
Jan 27, 2026
Merged

Fix ingress reconciliation when OwnerReferencesPermissionEnforcement is active#43949
giorio94 merged 2 commits intomainfrom
pr/giorio94/main/clustermesh-kind-blockowners

Conversation

@giorio94
Copy link
Copy Markdown
Member

@giorio94 giorio94 commented Jan 23, 2026

The CI changes from #43912 highlighted an issue in ingresses reconciliation when the OwnerReferencesPermissionEnforcement admission plugin is active, and got subsequently reverted to unbreak the main branch. This PR fixes the issue by adding the appropriate permissions to the cilium operator, and reapplies the test change to catch possible regressions in the future.

/cc @fgiloux FYI

Grant permissions to the cilium-operator so that it can reconcile ingresses when the when the admission plugin OwnerReferencesPermissionEnforcement is activated

@giorio94
install: grant Cilium operator permissions to update ingress finalizers
195f625 
This is required when the OwnerReferencesPermissionEnforcement admission
plugin is set, because the operator creates CiliumEnvoyConfig resources
owned by the corresponding ingress, with the blockOwnerDeletion flag set.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
Reapply "chore: Add OwnerReferencesPermissionEnforcement to kind in CI"
eea13bf 
This reverts commit a6557b7.

Now that the remaining outstanding issues have been fixed, let's enable
again the OwnerReferencesPermissionEnforcement admission plugin in
Cluster Mesh workflows, to simplify catching possible regressions in
the future.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch affects/v1.18 This issue affects v1.18 branch affects/v1.19 This issue affects v1.19 branch needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Jan 23, 2026
@giorio94 giorio94 changed the title Pr/giorio94/main/clustermesh kind blockowners Fix ingress reconciliation when OwnerReferencesPermissionEnforcement is active Jan 23, 2026
@giorio94 giorio94 mentioned this pull request Jan 23, 2026
Merged
@giorio94
Copy link
Copy Markdown
Member Author

giorio94 commented Jan 23, 2026

/ci-clustermesh

@giorio94
Copy link
Copy Markdown
Member Author

giorio94 commented Jan 23, 2026

/test

@giorio94 giorio94 marked this pull request as ready for review January 23, 2026 12:57
@giorio94 giorio94 requested review from a team as code owners January 23, 2026 12:57
@giorio94 giorio94 requested review from gandro and nbusseneau January 23, 2026 12:57
@giorio94 giorio94 added the backport/author The backport will be carried out by the author of the PR. label Jan 23, 2026
@giorio94 giorio94 enabled auto-merge January 26, 2026 08:20
@giorio94 giorio94 added this pull request to the merge queue Jan 27, 2026
Merged via the queue into main with commit 8887aac Jan 27, 2026
532 of 537 checks passed
@giorio94 giorio94 deleted the pr/giorio94/main/clustermesh-kind-blockowners branch January 27, 2026 08:39
@odinuge odinuge mentioned this pull request Jan 27, 2026
Closed
@giorio94 giorio94 mentioned this pull request Jan 27, 2026
Merged
2 tasks
@giorio94 giorio94 added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Jan 27, 2026
@github-actions github-actions bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Jan 28, 2026
@giorio94 giorio94 mentioned this pull request Feb 2, 2026
Merged
2 tasks
@giorio94 giorio94 added backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. and removed needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch labels Feb 2, 2026
@github-actions github-actions bot added backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. and removed backport-pending/1.19 The backport for Cilium 1.19.x for this PR is in progress. labels Feb 2, 2026
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
@MrFreezeex MrFreezeex mentioned this pull request Feb 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gandro gandro gandro approved these changes

@aanm aanm aanm approved these changes

@nbusseneau nbusseneau Awaiting requested review from nbusseneau nbusseneau is a code owner automatically assigned from cilium/github-sec

+1 more reviewer

@fgiloux fgiloux fgiloux approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

affects/v1.16 This issue affects v1.16 branch affects/v1.17 This issue affects v1.17 branch affects/v1.18 This issue affects v1.18 branch affects/v1.19 This issue affects v1.19 branch backport/author The backport will be carried out by the author of the PR. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. backport-done/1.19 The backport for Cilium 1.19.x for this PR is done. kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

No open projects
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@giorio94 @gandro @aanm @fgiloux @msune