vmware-tanzu
/
velero
mirror of https://github.com/vmware-tanzu/velero.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add labels for created namespace during velero installation to adopt k8s v1.25's PSS and PSA. 

Signed-off-by: Xun Jiang <blackpiglet@gmail.com>
pull/5887/head
Xun Jiang 2023-02-17 15:30:21 +08:00
parent 2f9735675d
commit 145a91f59b
3 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelogs/unreleased/5887-blackpiglet Normal file
View File

@ -0,0 +1 @@
Add labels for velero installed namespace to support PSA.

7
pkg/install/resources.go
View File

@ -136,13 +136,18 @@ func ClusterRoleBinding(namespace string) *rbacv1.ClusterRoleBinding {
} }
func Namespace(namespace string) *corev1.Namespace { func Namespace(namespace string) *corev1.Namespace {
return &corev1.Namespace{ ns := &corev1.Namespace{
ObjectMeta: objectMeta("", namespace), ObjectMeta: objectMeta("", namespace),
TypeMeta: metav1.TypeMeta{ TypeMeta: metav1.TypeMeta{
Kind: "Namespace", Kind: "Namespace",
APIVersion: corev1.SchemeGroupVersion.String(), APIVersion: corev1.SchemeGroupVersion.String(),
}, },
} }
ns.Labels["pod-security.kubernetes.io/enforce"] = "privileged"
ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
return ns
} }
func BackupStorageLocation(namespace, provider, bucket, prefix string, config map[string]string, caCert []byte) *velerov1api.BackupStorageLocation { func BackupStorageLocation(namespace, provider, bucket, prefix string, config map[string]string, caCert []byte) *velerov1api.BackupStorageLocation {

5
pkg/install/resources_test.go
View File

@ -40,6 +40,11 @@ func TestResources(t *testing.T) {
ns := Namespace("velero") ns := Namespace("velero")
assert.Equal(t, "velero", ns.Name) assert.Equal(t, "velero", ns.Name)
// For k8s version v1.25 and later, need to add the following labels to make
// velero installation namespace has privileged version to work with
// PSA(Pod Security Admission) and PSS(Pod Security Standards).
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce"], "privileged")
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce-version"], "latest")
crb := ClusterRoleBinding(DefaultVeleroNamespace) crb := ClusterRoleBinding(DefaultVeleroNamespace)
// The CRB is a cluster-scoped resource // The CRB is a cluster-scoped resource