Skip to content

ROX-32155: Add cluster/namespace label fields to policy-as-code CRDs#19546

Merged
AlexVulaj merged 1 commit intomasterfrom
AlexVulaj/ROX-32155-policy-as-code-crd-new-fields
Mar 23, 2026
Merged

ROX-32155: Add cluster/namespace label fields to policy-as-code CRDs#19546
AlexVulaj merged 1 commit intomasterfrom
AlexVulaj/ROX-32155-policy-as-code-crd-new-fields

Conversation

@AlexVulaj
Copy link
Contributor

@AlexVulaj AlexVulaj commented Mar 23, 2026
edited
Loading

Description

This PR extends the policy-as-code SecurityPolicy CRD to support cluster label and namespace label scoping. The changes add ClusterLabel and NamespaceLabel fields to the Scope struct in the config-controller API, following the same pattern as the existing Label field.

https://redhat.atlassian.net/browse/ROX-32155

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

Verified that the enw clusterLabel and namespaceLabel fields work correctly in SecurityPolicy CRDs:

  • Test Case 1: Policy scope with cluster label
  • Test Case 2: Policy scope with namespace label
  • Test Case 3: Combined label types in single scope (deployment, cluster, and namespace labels together)
  • Test Case 4: Exclusion scope with cluster label
  • Test Case 5: Exclusion scope with namespace label

Validated that

  • Feature flag ROX_LABEL_BASED_POLICY_SCOPING must be enabled in Central for policies using these fields
  • CRD accepts new fields correctly
  • Config-controller reconciles policies and updates status conditions appropriately
  • Central accepts policies
  • New label fields propagate correctly through Central's /v1/policies API
  • Policy scopes work as expected with the new fields

@AlexVulaj AlexVulaj requested a review from a team as a code owner March 23, 2026 15:20
@AlexVulaj AlexVulaj requested review from porridge and removed request for a team March 23, 2026 15:20
@AlexVulaj AlexVulaj changed the title ROX-32155: Add cluster and namespace label fields to policy-as-code CRDs ROX-32155: Add cluster/namespace label fields to policy-as-code CRDs Mar 23, 2026
@AlexVulaj AlexVulaj force-pushed the AlexVulaj/ROX-32155-policy-as-code-crd-new-fields branch from 432f1b5 to 1a04daf Compare March 23, 2026 15:59
@codecov
Copy link

codecov bot commented Mar 23, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 92.30769% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 49.27%. Comparing base (b1cc760) to head (5e8cf1d).
⚠️ Report is 5 commits behind head on master.

Files with missing lines Patch % Lines
...g-controller/api/v1alpha1/zz_generated.deepcopy.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #19546      +/-   ##
==========================================
+ Coverage   49.26%   49.27%   +0.01%     
==========================================
  Files        2727     2727              
  Lines      205788   205814      +26     
==========================================
+ Hits       101383   101419      +36     
+ Misses      96874    96865       -9     
+ Partials     7531     7530       -1
Flag Coverage Δ
go-unit-tests 49.27% <92.30%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@rhacs-bot
Copy link
Contributor

rhacs-bot commented Mar 23, 2026
edited
Loading

Images are ready for the commit at 5e8cf1d.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-412-g5e8cf1dce4.

@AlexVulaj AlexVulaj force-pushed the AlexVulaj/ROX-32155-policy-as-code-crd-new-fields branch from 1a04daf to 5e8cf1d Compare March 23, 2026 16:46
@AlexVulaj AlexVulaj merged commit 3183de3 into master Mar 23, 2026
98 of 102 checks passed
@AlexVulaj AlexVulaj deleted the AlexVulaj/ROX-32155-policy-as-code-crd-new-fields branch March 23, 2026 20:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@c-du c-du c-du approved these changes

@porridge porridge Awaiting requested review from porridge porridge is a code owner automatically assigned from stackrox/install

Assignees

No one assigned

Labels

area/helm area/operator

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlexVulaj @rhacs-bot @c-du