Skip to content

Commit fd7e11e

Browse files
JoaoBraveCodingJoaoBraveCoding
committed
fix(operator): add extract selectors to gateway in netobserv mode to fix
fine-grained AuthZ
1 parent 145b063 commit fd7e11e

File tree

1 file changed

+10
-2
lines changed

1 file changed

+10
-2
lines changed

operator/internal/manifests/openshift/configure.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -73,15 +73,23 @@ func ConfigureGatewayDeployment(
7373
return kverrors.Wrap(err, "failed to merge sidecar container spec ")
7474
}
7575

76-
if mode == lokiv1.OpenshiftLogging {
76+
if mode == lokiv1.OpenshiftLogging || mode == lokiv1.OpenshiftNetwork {
7777
// enable extraction of namespace selector
7878
for i, c := range d.Spec.Template.Spec.Containers {
7979
if c.Name != "gateway" {
8080
continue
8181
}
8282

83+
var authSelectors string
84+
switch mode {
85+
case lokiv1.OpenshiftLogging:
86+
authSelectors = opaDefaultLabelMatchers
87+
case lokiv1.OpenshiftNetwork:
88+
authSelectors = opaNetworkLabelMatchers
89+
}
90+
8391
d.Spec.Template.Spec.Containers[i].Args = append(d.Spec.Template.Spec.Containers[i].Args,
84-
fmt.Sprintf("--logs.auth.extract-selectors=%s", opaDefaultLabelMatchers),
92+
fmt.Sprintf("--logs.auth.extract-selectors=%s", authSelectors),
8593
)
8694
}
8795
}

0 commit comments

Comments
 (0)