vmware-tanzu
/
velero
mirror of https://github.com/vmware-tanzu/velero.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #6775 from blackpiglet/psa_audit_warn_v1.9 

[cherry-pick][release-1.9]Add PSA audit and warn labels.
release-1.9
qiuming 2023-09-12 14:57:11 +08:00 committed by GitHub
parent 4d97aa4964 cb6838325d
commit 4f5a61b8e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelogs/unreleased/6775-blackpiglet Normal file
View File

@ -0,0 +1 @@
Add PSA audit and warn labels.

13
pkg/install/resources.go
View File

@ -30,6 +30,11 @@ import (
velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1" velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
) )
const (
podSecurityLevel = "privileged"
podSecurityVersion = "latest"
)
var ( var (
DefaultVeleroPodCPURequest = "500m" DefaultVeleroPodCPURequest = "500m"
DefaultVeleroPodMemRequest = "128Mi" DefaultVeleroPodMemRequest = "128Mi"
@ -144,8 +149,12 @@ func Namespace(namespace string) *corev1.Namespace {
}, },
} }
ns.Labels["pod-security.kubernetes.io/enforce"] = "privileged" ns.Labels["pod-security.kubernetes.io/enforce"] = podSecurityLevel
ns.Labels["pod-security.kubernetes.io/enforce-version"] = "latest" ns.Labels["pod-security.kubernetes.io/enforce-version"] = podSecurityVersion
ns.Labels["pod-security.kubernetes.io/audit"] = podSecurityLevel
ns.Labels["pod-security.kubernetes.io/audit-version"] = podSecurityVersion
ns.Labels["pod-security.kubernetes.io/warn"] = podSecurityLevel
ns.Labels["pod-security.kubernetes.io/warn-version"] = podSecurityVersion
return ns return ns
} }

4
pkg/install/resources_test.go
View File

@ -45,6 +45,10 @@ func TestResources(t *testing.T) {
// PSA(Pod Security Admission) and PSS(Pod Security Standards). // PSA(Pod Security Admission) and PSS(Pod Security Standards).
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce"], "privileged") assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce"], "privileged")
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce-version"], "latest") assert.Equal(t, ns.Labels["pod-security.kubernetes.io/enforce-version"], "latest")
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/audit"], "privileged")
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/audit-version"], "latest")
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/warn"], "privileged")
assert.Equal(t, ns.Labels["pod-security.kubernetes.io/warn-version"], "latest")
crb := ClusterRoleBinding(DefaultVeleroNamespace) crb := ClusterRoleBinding(DefaultVeleroNamespace)
// The CRB is a cluster-scoped resource // The CRB is a cluster-scoped resource