Canonical Juju

[k8s] Allow using existing namespace or allow adding labels to namespace on creation

Bug #1997954 reported by Bartłomiej Poniecki-Klotz on 2022-11-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	Medium	Unassigned

Bug Description

We have a customer who requires some labels in the namespace before we can put any workload in it like `pod-security.kubernetes.io/audit=privileged,pod-security.kubernetes.io/enforce=privileged`.

On each add-model juju creates a namespace without these labels and then security tools treat this namespace as labelled `pod-security.kubernetes.io/audit=restricted,pod-security.kubernetes.io/enforce=restricted`.

Is it possible to use the existing namespace (without destruction or recreate with the same labels) or to add custom labels to the model namespace?

Revision history for this message

Thomas Miller (tlmiller) wrote on 2022-11-29:

Hi,

We currently don't support supplying custom labels for a models namespace. However once the namespace has been created with add-model you would be free to go and edit the namespace and add/change and labels you wanted to.

All we ask is to just leave the juju labels in place as they are required for Juju to work.

Regards
tlm

Changed in juju:
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Bartłomiej Poniecki-Klotz (barteus) wrote on 2022-12-01:

In some clusters, there are automated tools (ie. security) that will not allow the creation of any workload in the incorrectly labelled namespace. This means that the bootstrap or add-model action will fail. Next time juju will try to recreate the namespace and we will be in the same situation again.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.