Merge pull request #6775 from blackpiglet/psa_audit_warn_v1.9

[cherry-pick][release-1.9]Add PSA audit and warn labels.

changelogs/unreleased/6775-blackpiglet

@@ -0,0 +1 @@
+Add PSA audit and warn labels.

pkg/install/resources.go

@@ -30,6 +30,11 @@ import (
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 )
 
+const (
+	podSecurityLevel   = "privileged"
+	podSecurityVersion = "latest"
+)
+
 var (
 	DefaultVeleroPodCPURequest = "500m"
 	DefaultVeleroPodMemRequest = "128Mi"
@@ -144,8 +149,12 @@ func Namespace(namespace string) *corev1.Namespace {
 		},
 	}
 
-	ns.Labels["pod-security.kubernetes.io/enforce"] = "privileged"
-	ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest"
+	ns.Labels["pod-security.kubernetes.io/enforce"] = podSecurityLevel
+	ns.Labels["pod-security.kubernetes.io/enforce-version"] = podSecurityVersion
+	ns.Labels["pod-security.kubernetes.io/audit"] = podSecurityLevel
+	ns.Labels["pod-security.kubernetes.io/audit-version"] = podSecurityVersion
+	ns.Labels["pod-security.kubernetes.io/warn"] = podSecurityLevel
+	ns.Labels["pod-security.kubernetes.io/warn-version"] = podSecurityVersion
 
 	return ns
 }

pkg/install/resources_test.go

@@ -45,6 +45,10 @@ func TestResources(t *testing.T) {
 	// PSA(Pod Security Admission) and PSS(Pod Security Standards).
 	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce"], "privileged")
 	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce-version"], "latest")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/audit"], "privileged")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/audit-version"], "latest")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/warn"], "privileged")
+	assert.Equal(t, ns.Labels["pod-security.kubernetes.io/warn-version"], "latest")
 
 	crb := ClusterRoleBinding(DefaultVeleroNamespace)
 	// The CRB is a cluster-scoped resource