Use restricted namespace for opensource apiserver (#3489)

* use restricted namespace for opensource apiserver * when hostNetwork is required, use PSSPrivileged namespace label
tigera · Sep 25, 2024 · 62b56a8 · 62b56a8
1 parent 57b61bc
commit 62b56a8
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
@@ -296,9 +296,13 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) {
 		objsToDelete = append(objsToDelete, &admregv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: SidecarMutatingWebhookConfigName}})
 	}
 
+	podSecurityNamespaceLabel := PodSecurityStandard(PSSRestricted)
+	if c.hostNetwork() {
+		podSecurityNamespaceLabel = PSSPrivileged
+	}
 	// Global OSS-only objects.
 	globalCalicoObjects := []client.Object{
-		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, PSSPrivileged),
+		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, podSecurityNamespaceLabel),
 	}
 
 	// Compile the final arrays based on the variant.