Use restricted namespace for opensource apiserver (#3489)

* use restricted namespace for opensource apiserver * when hostNetwork is required, use PSSPrivileged namespace label
tigera · Oct 2, 2024 · 112f043 · 112f043
1 parent 3c92482
commit 112f043
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
@@ -264,9 +264,13 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) {
 		namespacedEnterpriseObjects = append(namespacedEnterpriseObjects, c.cfg.TrustedBundle.ConfigMap(QueryserverNamespace))
 	}
 
+	podSecurityNamespaceLabel := PodSecurityStandard(PSSRestricted)
+	if c.hostNetwork() {
+		podSecurityNamespaceLabel = PSSPrivileged
+	}
 	// Global OSS-only objects.
 	globalCalicoObjects := []client.Object{
-		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, PSSPrivileged),
+		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, podSecurityNamespaceLabel),
 	}
 
 	// Compile the final arrays based on the variant.