cluster-policy-controller

cluster-policy-controller

The cluster-policy-controller is responsible for maintaining policy resources necessary to create pods in a cluster. Controllers managed by cluster-policy-controller are:

• cluster quota reconcilion - manages cluster quota usage
• namespace SCC allocation controller - allocates UIDs and SELinux labels for namespaces
• cluster csr approver controller - csr approver for monitoring scraping
• podsecurity admission label syncer controller - configure the PodSecurity admission namespace label for namespaces with "security.openshift.io/scc.podSecurityLabelSync: true" label

Run

The cluster-policy-controller runs as a container in the openshift-kube-controller-manager namespace, in the kube-controller-manager static pod. This pod is defined and managed by the kube-controller-manager OpenShift ClusterOperator. that installs and maintains the KubeControllerManager Custom Resource in a cluster. It can be viewed with:

oc get clusteroperator kube-controller-manager -o yaml

Test

Many OpenShift ClusterOperators and Operands share common build, test, deployment, and update methods, see How do I build|update|verify|run unit-tests.

See How can I test changes to an OpenShift operator/operand/release component? to deploy OpenShift with your test cluster-kube-controller-manager-operator and cluster-policy-controller images.

Rebase

Follow this checklist and copy into the PR:

• Select the desired kubernetes release branch, and use its go.mod and CHANGELOG as references for the rest of the work.
• Bump go version, all k8s.io/, github.com/openshift/, and any other relevant dependencies as needed.
• Run go mod vendor && go mod tidy, commit that separately from all other changes.
• Bump image versions (Dockerfile, ci...) if needed.
• Run make build verify test.
• Make code changes as needed until the above pass.
• Any other minor update, like documentation.