Merge pull request #3528 from mihivagyok/cherry-pick-pr3489-use-restr…

…icted-namespace [Pick #3489] Use restricted namespace for opensource calico-apiserver (v1.34)
tigera · Oct 28, 2024 · 64f8bcc · 64f8bcc
2 parents 4420a6c + 112f043
commit 64f8bcc
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/pkg/render/apiserver.go b/pkg/render/apiserver.go
@@ -264,9 +264,13 @@ func (c *apiServerComponent) Objects() ([]client.Object, []client.Object) {
 		namespacedEnterpriseObjects = append(namespacedEnterpriseObjects, c.cfg.TrustedBundle.ConfigMap(QueryserverNamespace))
 	}
 
+	podSecurityNamespaceLabel := PodSecurityStandard(PSSRestricted)
+	if c.hostNetwork() {
+		podSecurityNamespaceLabel = PSSPrivileged
+	}
 	// Global OSS-only objects.
 	globalCalicoObjects := []client.Object{
-		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, PSSPrivileged),
+		CreateNamespace(rmeta.APIServerNamespace(operatorv1.Calico), c.cfg.Installation.KubernetesProvider, podSecurityNamespaceLabel),
 	}
 
 	// Compile the final arrays based on the variant.