cluster-policy-controller
The cluster-policy-controller is responsible for maintaining policy resources necessary to create pods in a cluster.
Controllers managed by cluster-policy-controller are:
- cluster quota reconcilion - manages cluster quota usage
- namespace SCC allocation controller - allocates UIDs and SELinux labels for namespaces
- cluster csr approver controller - csr approver for monitoring scraping
- podsecurity admission label syncer controller - configure the PodSecurity admission namespace label for namespaces with "security.openshift.io/scc.podSecurityLabelSync: true" label
Run
The cluster-policy-controller runs as a container in the openshift-kube-controller-manager namespace, in the kube-controller-manager static pod.
This pod is defined and managed by the kube-controller-manager
OpenShift ClusterOperator.
that installs and maintains the KubeControllerManager Custom Resource in a cluster. It can be viewed with:
oc get clusteroperator kube-controller-manager -o yaml
Test
Many OpenShift ClusterOperators and Operands share common build, test, deployment, and update methods, see How do I build|update|verify|run unit-tests.
See How can I test changes to an OpenShift operator/operand/release component? to deploy OpenShift with your test cluster-kube-controller-manager-operator and cluster-policy-controller images.
Rebase
Follow this checklist and copy into the PR:
- Select the desired kubernetes release branch, and use its
go.mod and CHANGELOG as references for the rest of the work.
- Bump go version, all
k8s.io/, github.com/openshift/, and any other relevant dependencies as needed.
- Run
go mod vendor && go mod tidy, commit that separately from all other changes.
- Bump image versions (Dockerfile, ci...) if needed.
- Run
make build verify test.
- Make code changes as needed until the above pass.
- Any other minor update, like documentation.