From d6887002ee2a865fc0fb15340ec876dea4ca8f81 Mon Sep 17 00:00:00 2001 From: Oskar Otwinowski Date: Wed, 10 Jun 2026 18:12:09 +0200 Subject: [PATCH] feat(supervisor): stamp org identity label on compute microVMs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The compute workload manager now sets `org=` on every microVM (create + restore) unconditionally, replacing the plan-gated `privatelink` label on the compute path. fcrun promotes it into the Cilium security identity for the per-org PrivateLink CCNP selector and per-org network observability. The legacy Kubernetes workload manager is unchanged — it keeps the `privatelink` label gated on hasPrivateLink (PrivateLink is live only on the legacy v4-worker clusters). orgId is guarded on the restore path where it's optional on the opts type. fixup: concise comments + changeset --- .server-changes/compute-org-label.md | 8 +++++++ .../supervisor/src/workloadManager/compute.ts | 21 ++++++++----------- 2 files changed, 17 insertions(+), 12 deletions(-) create mode 100644 .server-changes/compute-org-label.md diff --git a/.server-changes/compute-org-label.md b/.server-changes/compute-org-label.md new file mode 100644 index 0000000000..9306a0e2dc --- /dev/null +++ b/.server-changes/compute-org-label.md @@ -0,0 +1,8 @@ +--- +area: supervisor +type: improvement +--- + +Compute workload manager now sets an `org` label on every run (create + +restore) for network-policy selection, instead of a plan-gated label. The +Kubernetes workload manager is unchanged. diff --git a/apps/supervisor/src/workloadManager/compute.ts b/apps/supervisor/src/workloadManager/compute.ts index 3efad7d407..abe9af5a49 100644 --- a/apps/supervisor/src/workloadManager/compute.ts +++ b/apps/supervisor/src/workloadManager/compute.ts @@ -133,13 +133,11 @@ export class ComputeWorkloadManager implements WorkloadManager { // Strip image digest - resolve by tag, not digest const imageRef = stripImageDigest(opts.image); - // Labels forwarded to the compute provider for network-policy selection; - // the provider promotes a configured subset to its network layer. Mirrors - // the privatelink label the Kubernetes workload manager sets on the run pod. - const labels: Record = {}; - if (opts.hasPrivateLink) { - labels.privatelink = opts.orgId; - } + // Labels forwarded to the compute provider for network-policy selection. + // `org` is always set so every run carries its org identity. + const labels: Record = { + org: opts.orgId, + }; // Wide event: single canonical log line emitted in finally const event: Record = { @@ -319,12 +317,11 @@ export class ComputeWorkloadManager implements WorkloadManager { TRIGGER_WORKER_INSTANCE_NAME: this.opts.runner.instanceName, }; - // Resupply the same labels on restore (mirror of the create path); the - // provider doesn't persist them across a snapshot, so without this a - // restored run would lose its policy-based network selection. + // Resupply labels on restore (the provider doesn't persist them across a + // snapshot). orgId is optional on the restore opts type, so guard it. const labels: Record = {}; - if (opts.hasPrivateLink && opts.orgId) { - labels.privatelink = opts.orgId; + if (opts.orgId) { + labels.org = opts.orgId; } this.logger.verbose("restore request body", {