Skip to content

v1.18 Backports 2026-01-27#44034

Merged
giorio94 merged 3 commits intov1.18from
pr/v1.18-backport-2026-01-27-04-41
Jan 28, 2026
Merged

v1.18 Backports 2026-01-27#44034
giorio94 merged 3 commits intov1.18from
pr/v1.18-backport-2026-01-27-04-41

Conversation

@giorio94
Copy link
Copy Markdown
Member

@giorio94 giorio94 commented Jan 27, 2026
edited
Loading

ℹ️ I've dropped the second commit from #43949, as it reapplied the second one from #43912, that had been previously reverted on main. I've also reordered the commits so that the one enabling the check in CI comes after the fixes.

Once this PR is merged, a GitHub action will update the labels of these PRs:

 43912 43949

fgiloux and others added 3 commits January 27, 2026 16:41
@fgiloux @giorio94
fix: Cluster Mesh work with OwnerReferencesPermissionEnforcement
6a7daad 
[ upstream commit 72c362a ]

Some clusters have the admission plugin OwnerReferencesPermissionEnforcement
activated. This plugin protects access to metadata.ownerReferences[x].blockOwnerDeletion,
only users with the update permission to the finalizers subresource of the referenced
owner can change it.
This adds such permissions to the cilium-operator clusterRole, as the operator sets
EnpointSlices owner references.

Signed-off-by: Frederic Giloux <frederic.giloux@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
install: grant Cilium operator permissions to update ingress finalizers
143069d 
[ upstream commit 680ea6f ]

This is required when the OwnerReferencesPermissionEnforcement admission
plugin is set, because the operator creates CiliumEnvoyConfig resources
owned by the corresponding ingress, with the blockOwnerDeletion flag set.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@fgiloux @giorio94
chore: Add OwnerReferencesPermissionEnforcement to kind in CI
b235974 
[ upstream commit f682f08 ]

The admission plugin OwnerReferencesPermissionEnforcement adds
constraints when owner references are set. This plugin is, for
instance, activated by default on OpenShift. This will help with
catching permission issues in CI.

Signed-off-by: Frederic Giloux <frederic.giloux@isovalent.com>
Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 added kind/backports This PR provides functionality previously merged into master. backport/1.18 This PR represents a backport for Cilium 1.18.x of a PR that was merged to main. labels Jan 27, 2026
@giorio94
Copy link
Copy Markdown
Member Author

giorio94 commented Jan 27, 2026

/ci-clustermesh

@giorio94
Copy link
Copy Markdown
Member Author

giorio94 commented Jan 27, 2026

/test

@giorio94 giorio94 marked this pull request as ready for review January 28, 2026 11:00
@giorio94 giorio94 requested a review from a team as a code owner January 28, 2026 11:00
@giorio94 giorio94 requested a review from mhofstetter January 28, 2026 11:00
@giorio94 giorio94 enabled auto-merge January 28, 2026 11:00
@giorio94 giorio94 added this pull request to the merge queue Jan 28, 2026
Merged via the queue into v1.18 with commit f0ce5ef Jan 28, 2026
313 of 316 checks passed
@giorio94 giorio94 deleted the pr/v1.18-backport-2026-01-27-04-41 branch January 28, 2026 11:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julianwiedmann julianwiedmann julianwiedmann approved these changes

@mhofstetter mhofstetter Awaiting requested review from mhofstetter

+1 more reviewer

@fgiloux fgiloux fgiloux approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport/1.18 This PR represents a backport for Cilium 1.18.x of a PR that was merged to main. kind/backports This PR provides functionality previously merged into master.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@giorio94 @fgiloux @julianwiedmann @msune